I've been following Outlook security issues for nearly 10 years now.
Outlook blocks HTML scripts and executable attachments. The last
significant vulnerability was eliminated years ago when the <iframe> tag
was blocked. Potential vulnerabilities (none found in the wild that I
can recall) are addressed with the occasional security patch for IE or
Word, although we could all wish for those to come faster.
If you know of an instance in the past 5 years when an HTML message by
itself caused an actual -- not a theoretical -- problem on a system
running a fully patched, current version of Outlook, I'm sure we'd all
be able to learn something from it, but I don't recall such a case. I'm
always willing to learn, though.
--
Sue Mosher, Outlook MVP
Author of Configuring Microsoft Outlook 2003
and Microsoft Outlook Programming - Jumpstart for
Administrators, Power Users, and Developers
Melelina said:
With such astounding ignorance displayed, I have no idea where to
start! Do
you know anything about computer security? Why don't you start
reading the
dslreports.com security forum and Wilderssecurity.com and
castlecops.com and
get some much needed education?
HTML mail is not dangerous. What makes you think that it is?
The last security flaw that I heard about was the one involving images.
If the e-mail client displayed the image, it was possible to infiltrate
the host. However, that really wasn't a fault in Outlook. That was a
fault in the graphics engine back in Windows, so the infiltration
occurred in any e-mail client that showed the image. The infiltration
occurred even when no e-mail client was used and the user simply opened
the image file. The file didn't even have to come via an e-mail client.
Some nasty web sites used the technique in the graphics they showed on
their pages.
Only ignorant users would *change* the security zone from Restricted
Sites to Internet. Some do because they want Javascript or applets
running in their e-mails but then they have deliberately chosen to
reduce security. The default in Outlook is to render HTML-formatted
e-mails in the Restricted Sites security zone, and the default for the
Restricted Sites security zone is at its High settings level. If you
reduce either of those, you are the idiot for doing so and shouldn't
waste anyone's time whining about infections because of YOUR choices to
reduce security.
The only remaining security hole that none of the security zones address
is the use of the web beacon (or web bug). None of them restrict linked
content, like a graphic image (which you may not even see since it could
be one pixel that is the same color as the background). It wasn't until
the option got added to Outlook [Express] to block Internet content that
this hole got addressed. I don't remember if it was set by default, so
check that it is set. If you really need to see those linked images,
you get an infobar to make that choice, but it is still YOUR choice to
go yank those images from someone else's server that can track that you
yanked those images.
So, Melelina, rather than spew vaguities regarding what you aggregated
from others' posts, please explain to us just how HTML-formatted e-mails
can cause harm? With settings of Restricted Sites at its High level and
with the option to block linked content, please favor us with some real
information regarding how HTML-formatted e-mails can cause harm (other
than to bloat a message that could've been easily sent as just plain
text). We are waiting for some real information, not regurgitation of
some nebulous feelings. If you have real info on an attack vector
though HTML-formatted e-mails when using Outlook, we would definitely
like to hear about it.
