RE: MS Outlook/Outlook Express Preview Pane Security Issue?

From: Dozal, Tim (tdozal_at_cisco.com)
Date: 03/30/04

  • Next message: xilopublic1_at_ca.inter.net: "Secure host newbie"
    Date: Mon, 29 Mar 2004 15:30:26 -0800
    To: <kurtbuff@spro.net>, <security-basics@securityfocus.com>
    
    

    Kurt,

    The biggest problem I saw with the preview pane is it could be tricked
    into execuiting code on your system even with no attachment present. If
    you disable all HTML e-mail then you might avoid this but if you receive
    HTML embedded in your e-mail as most people do now days when using
    Outlook of any version then you are at risk. Even though you may be
    filtering attachments and be running zone alarm your e-mail client will
    execute a lot of embedded HTML which basically acts like you are using a
    browser and visiting somebody's web site to pull the content. That
    being said look into all of the vulnerabilities which require you to
    visit a malicious web site and you will quickly fear web surfing all but
    the most trusted sites. Your system can easily be compromised via one
    of those types of exploits merly from the preview pane acting like a
    browser and pulling content from a site embeded in the mail message
    body.

    Again as I posted before, anything but Outlook 2003 I would recommend
    against the preview pane.

    Tim

    -----Original Message-----
    From: Kurt [mailto:kurtbuff@spro.net]
    Sent: Friday, March 26, 2004 3:43 PM
    To: security-basics@securityfocus.com
    Subject: RE: MS Outlook/Outlook Express Preview Pane Security Issue?

    I beg to differ.

    First thing *I* do with Outlook (I use OL2k, don't use OE - hate it) is
    set security on it, and turn off everything.

    Go to Tools/Options/Security/Zone Settings/Custom Settings, and disable
    everything.

    Preview pane has not ever bitten me. I'm sure that's in part because I'm
    just very careful anyway, but setting security does do a lot. As well,
    I'm using Zone Alarm, and it strips all executable attachments (google
    for Martin Blackstone's List of Danger).

    -----Original Message-----
    From: Justin F. Knox [mailto:jknox@indexzero.org]
    Sent: Thursday, March 25, 2004 16:15
    To: security-basics@securityfocus.com
    Subject: RE: MS Outlook/Outlook Express Preview Pane Security Issue?

    >>Is there any security/privacy risk in enabling the preview pane in
    Microsoft
    >>Outlook and Outlook Express even when latest patches are installed?
    >
    >I'd say yes, because it's still unsecured even with the latest round of

    >patches. Now Outlook 2003's preview pane won't download images or
    render
    >script, unless you turn it on. For that I'd still say no, but I've been

    >testing it out and haven't had a problem yet. I just use Auto Preview
    in
    >Outlook, work ok and renders in plain text.

    I'd have to agree here. On any installation of Outlook that I'm to use,
    the first thing to turn off is the preview pane. Simply because it
    renders everything (or just about...). Very dangerous. It kind of
    defeats the purpose of telling your users not to open e-mails with
    'blah' for an attachment if their MUA does it for them.

    just my $0.02.

    --Justin

    ------------------------------------------------------------------------

    ---
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
    off any course! All of our class sizes are guaranteed to be 10 students
    or less to facilitate one-on-one interaction with one of our expert
    instructors.
    Attend a course taught by an expert instructor with years of
    in-the-field pen testing experience in our state of the art hacking lab.
    Master the skills of an Ethical Hacker to better assess the security of
    your organization.
    Visit us at:
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ------------------------------------------------------------------------
    ----
    ------------------------------------------------------------------------
    ---
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
    off any course! All of our class sizes are guaranteed to be 10 students
    or less to facilitate one-on-one interaction with one of our expert
    instructors. 
    Attend a course taught by an expert instructor with years of
    in-the-field pen testing experience in our state of the art hacking lab.
    Master the skills of an Ethical Hacker to better assess the security of
    your organization. 
    Visit us at: 
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ------------------------------------------------------------------------
    ----
    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
    any course! All of our class sizes are guaranteed to be 10 students or less 
    to facilitate one-on-one interaction with one of our expert instructors. 
    Attend a course taught by an expert instructor with years of in-the-field 
    pen testing experience in our state of the art hacking lab. Master the skills 
    of an Ethical Hacker to better assess the security of your organization. 
    Visit us at: 
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------
    

  • Next message: xilopublic1_at_ca.inter.net: "Secure host newbie"