Preview pane - dangerous?!

[Guest]

Some of my IT friends insist that it is dangerous to have the preview pane
switched on in Outlook. Some of my IT friends say that it is not true that I
can get a virus by simply viewing the message via the preview pane. I have
switched off the option that an e-mail will be marked as read when I flick
through my messages.

I love having the preview pane switched on as often I get messages from
e-mail addresses I would assume to be junk but when I read the content I
realise that it is an important message after all.

Does anyone have an answer if I can get a virus if I have the preview pane
switched on but do not open the actual e-mail?!

Regards

Nicole

 

[Sue Mosher [MVP-Outlook]]

Unless your IT friends are using an early version of Outlook 98 or 2000 and
have never patched Internet Explorer, they are very, very mistaken.

 

[George Hester]

Oh yes very dangerous. See the files that may get d/l or put on your machine by previewing are no different
then what you can get on your machine by visiting the dubious sites the sppammers want you to go to.

Microsoft has put a lot of effort in convincing users that the preview of e-mail issue here in Outlook has been
fixed. Well now don't believe them because tomorrow they'll have another fix. Count on it.

 

[Vanguard]

Some of my IT friends insist that it is dangerous to have the preview
pane
switched on in Outlook. Some of my IT friends say that it is not true
that I
can get a virus by simply viewing the message via the preview pane. I
have
switched off the option that an e-mail will be marked as read when I
flick
through my messages.

I love having the preview pane switched on as often I get messages
from
e-mail addresses I would assume to be junk but when I read the content
I
realise that it is an important message after all.

Does anyone have an answer if I can get a virus if I have the preview
pane
switched on but do not open the actual e-mail?!

Regards

Nicole

Make sure the security zone selected within Outlook is the Restricted
Sites zone, and then check the Restricted Sites security zone is set to
its highest setting. That kills scripts from running, file and font
downloads, ActiveX downloads and execute, and everything potentially
nasty -- EXCEPT web bugs. None of the security zones have an option to
block linked images which could be used as web bugs.

Web bugs can alert the sender that you opened their e-mail so they know
they reached a valid e-mail address and that it is actively monitored.
If you want to see how web bugs can be used to trigger on someone
opening an HTML-formatted e-mail with linked images, visit MsgTag.com.
They provide a freebie tool that lets you insert a web bug into your
e-mail that will alert you when someone opens your HTML-formatted
message. It is for senders that try an to provide an end-around read
receipts because most recipients disable that feature or have it prompt
them (and they say no). However, it is damn easy to defeat web bugs.
Read your messages in plain-text mode, configure your e-mail client to
block linked images until you decide you want to see them (if this is an
option), or use an anti-spam proxy filter, like SpamPal and its
HTML-Modify plug-in, to disable the linked images (by renaming the <IMG>
tag to <XMG> which is a bogus tag but you can go into the HTML code if
you really needed to retrieve that image by getting the URL to it). I
experimented with MsgTag for awhile but got rid of for 3 reasons: (1) It
can be easily disabled by the methods I mentioned; (2) It is an invasion
of privacy in trying to "tap" your messages to see what the recipient
does with them (it should still be the recipient's choice if they ever
inform you that they got your message); and, (3) You must send in HTML
format for web bugs to work but you shouldn't be normally using HTML for
short memos, notes, or any message that really doesn't need HTML unless
formatting is crucial to connote additional content to your message,
like using tables for columnar data or showing integrals in an equation.

If you don't want to use the Preview pane (because you've been scared by
unsubstantiated horror stories by those yet to prove the insecurity of
using the Preview pane when under the Restricted Sites security zone set
to High) then instead use the AutoPreview mode. This will show the
first lines of each message in plain-text only format. In the message
list pane when using AutoPreview mode, you see the headers for the
message followed by a few lines of the body of the message as plain
text. That way, you can determine if it looks like a message that you
want to open before you fully open it.

 

[Diane Poremsky [MVP]]

Preview pane is just as safe as opening a message (actually a bit safer, as
it can't run as much active content as an opened message), especially in
newer versions with all of the current windows and Outlook patches
installed. If you don't trust MS, Chilton preview gives you a plain text
view of all of your mail - without ruining the html should you want to view
it in html. (Outlook 2003's plain text feature lets you swap back to html
quickly too.)

--
Diane Poremsky [MVP - Outlook]
Author, Teach Yourself Outlook 2003 in 24 Hours
Coauthor, OneNote 2003 for Windows (Visual QuickStart Guide)
Author, Google and Other Search Engines (Visual QuickStart Guide)



Join OneNote Tips mailing list: http://www.onenote-tips.net/


Oh yes very dangerous. See the files that may get d/l or put on your
machine by previewing are no different
then what you can get on your machine by visiting the dubious sites the
sppammers want you to go to.

Microsoft has put a lot of effort in convincing users that the preview of
e-mail issue here in Outlook has been
fixed. Well now don't believe them because tomorrow they'll have another
fix. Count on it.

 

[Diane Poremsky [MVP]]

As long as you use a newer version of outlook, use preview if you prefer
it - it's actually safer than opening a messages because it can't run as
much active content... if you are concerned, use Chilton preview instead -
it doesn't render html.

See http://www.slipstick.com/emo/2004/up040204.htm#preview for more
information on preview pane safety.

--
Diane Poremsky [MVP - Outlook]
Author, Teach Yourself Outlook 2003 in 24 Hours
Coauthor, OneNote 2003 for Windows (Visual QuickStart Guide)
Author, Google and Other Search Engines (Visual QuickStart Guide)



Join OneNote Tips mailing list: http://www.onenote-tips.net/

 

[Sue Mosher [MVP-Outlook]]

Outlook 2003 blocks all so-called "web bugs" by default, except for mail
from domains in the Trusted Sites zone and or from the Safe Senders list.

 

[George Hester]

I use PocketKnife Peek. I never open or preview a e-mail. Never. Except email from me that I know I've
sent to myself or those I am sure have nothing dangerous in them. I can tell that by PocketKnife Peek.

Relying on a third-party or Microsoft to make the decision of what's safe and what's not is a sure fire way of
getting burned.

--
George Hester
_________________________________

Preview pane is just as safe as opening a message (actually a bit safer, as
it can't run as much active content as an opened message), especially in
newer versions with all of the current windows and Outlook patches
installed. If you don't trust MS, Chilton preview gives you a plain text
view of all of your mail - without ruining the html should you want to view
it in html. (Outlook 2003's plain text feature lets you swap back to html
quickly too.)

--
Diane Poremsky [MVP - Outlook]
Author, Teach Yourself Outlook 2003 in 24 Hours
Coauthor, OneNote 2003 for Windows (Visual QuickStart Guide)
Author, Google and Other Search Engines (Visual QuickStart Guide)



Join OneNote Tips mailing list: http://www.onenote-tips.net/


Oh yes very dangerous. See the files that may get d/l or put on your
machine by previewing are no different
then what you can get on your machine by visiting the dubious sites the
sppammers want you to go to.

Microsoft has put a lot of effort in convincing users that the preview of
e-mail issue here in Outlook has been
fixed. Well now don't believe them because tomorrow they'll have another
fix. Count on it.

--
George Hester
_________________________________

Some of my IT friends insist that it is dangerous to have the preview pane
switched on in Outlook. Some of my IT friends say that it is not true that
I
can get a virus by simply viewing the message via the preview pane. I have
switched off the option that an e-mail will be marked as read when I flick
through my messages.

I love having the preview pane switched on as often I get messages from
e-mail addresses I would assume to be junk but when I read the content I
realise that it is an important message after all.

Does anyone have an answer if I can get a virus if I have the preview pane
switched on but do not open the actual e-mail?!

Regards

Nicole

 

[Jeff Stephenson [MSFT]]

I use PocketKnife Peek. I never open or preview a e-mail. Never. Except email from me that I know I've
sent to myself or those I am sure have nothing dangerous in them. I can tell that by PocketKnife Peek.

Relying on a third-party or Microsoft to make the decision of what's safe and what's not is a sure fire way of
getting burned.

On the other hand, I've been using the preview pane in Outlook 2003 since
long before it shipped, and I've never been burned... Particularly in
Outlook 2003, the preview pane is quite safe.

 

[George Hester]

You ought to be checking that TIF. Microsoft may have fixed this not sure but Preview will load your TIF
up with those things Outlook is disabling. That is one reason you get those funky named subfolders in TIF.

 

[Diane Poremsky [MVP]]

What does funky named folders have to do with preview pane insecurity? They
aren't bugs BTW... and if you don't like it that outlook uses that location,
you can move it. Search outlook-tips.net for 'securetemp' for instructions.

The reason for the funky named folders is because of the security - outlook
uses the TIF as a securetemp folder to protect opened documents from the
prying eyes of other users. Additionally, all items loaded into preview are
written to the folder before outlook opens them - this allows your AV
software to scan them if you use autoprotect (and is why we don't recommend
scanning inbound mail at the desktop level).

--

You ought to be checking that TIF. Microsoft may have fixed this not sure
but Preview will load your TIF
up with those things Outlook is disabling. That is one reason you get those
funky named subfolders in TIF.

 

[George Hester]

Diane have you seen this?

Cursor and Icon Format Handling Vulnerability - CAN-2004-1049:

A remote code execution vulnerability exists in the way that cursor, animated cursor, and icon formats are handled. An attacker could try to exploit the vulnerability by constructing a malicious cursor or icon file that could potentially allow remote code execution if a user visited a malicious Web site or viewed a malicious e-mail message. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

Now do you believe that Previewing a "malicious e-mail message" is sufficient to avoid this? I suggest NOT. And I suggest that Microsoft although probably would tell us one way or the other won't. Sure go ahead and install the security update. But that's today. Which has been my point all along. Don't preview and you don't have to worry about it. Pretty simple.

--
George Hester
_________________________________

What does funky named folders have to do with preview pane insecurity? They
aren't bugs BTW... and if you don't like it that outlook uses that location,
you can move it. Search outlook-tips.net for 'securetemp' for instructions.

The reason for the funky named folders is because of the security - outlook
uses the TIF as a securetemp folder to protect opened documents from the
prying eyes of other users. Additionally, all items loaded into preview are
written to the folder before outlook opens them - this allows your AV
software to scan them if you use autoprotect (and is why we don't recommend
scanning inbound mail at the desktop level).

--

You ought to be checking that TIF. Microsoft may have fixed this not sure
but Preview will load your TIF
up with those things Outlook is disabling. That is one reason you get those
funky named subfolders in TIF.

 

[Diane Poremsky [MVP]]

Yes, i have. I take into the consideration if the risk outweighs the
convenience - this includes considering how prevalent the exploit is and
whether it's likely to become widespread and if other actions will help to
negate the issue. So many of the recent bulletins require user interaction -
when a user needs convinced to go to a specific site, download something, or
do any other action based on what an email says, they are going to have a
lot more problems than just ones caused by the exploits. That makes the
exploit less than critical IMHO. In this case, the risk to the average user
is low. Why? Read the mitigating factors:
..In a Web-based attack scenario, an attacker would have to host a Web site
that contains a Web page that is used to exploit this vulnerability. An
attacker could also attempt to compromise a Web site to have it serve up a
Web page with malicious content attempting to exploit this vulnerability. An
attacker would have no way to force users to visit a Web site. Instead, an
attacker would have to persuade them to visit the Web site, typically by
getting them to click a link that takes them to the attacker's site or a
site compromised by the attacker.
There's that old 'user intervention' thing...
..By default, Outlook Express 6, Outlook 2002, and Outlook 2003 open HTML
e-mail messages in the Restricted sites zone. Additionally, Outlook 2000
opens HTML e-mail messages in the Restricted sites zone if the Outlook
E-mail Security Update has been installed. Outlook Express 5.5 Service Pack
2 opens HTML e-mail messages in the Restricted sites zone if Microsoft
Security Bulletin MS04-018 has been installed. The Restricted sites zone
helps reduce attacks that could attempt to exploit this vulnerability.
Outlook has been somewhat protected from this since the security update
released in June 2000. This is 2005... there is no excuse to not have
Outlook protected. OL98 is at risk, but we've said all along that it's the
least secure of all versions... those users should definitely use Chilton
preview until they upgrade. OL97 is 100% safe from this an other HTML risks,
unless the user opens an HTML attachment.
The risk of attack from the HTML e-mail vector can be significantly reduced
if you meet all the following conditions:
..Apply the update that is included with Microsoft Security Bulletin MS03-040
or a later Cumulative Security Update for Internet Explorer.
..Use Internet Explorer 6 or later.
..Use the Microsoft Outlook E-mail Security Update, use Microsoft Outlook
Express 6 or later, or use Microsoft Outlook 2000 Service Pack 2 or later in
its default configuration.
There's that thing about keeping programs up-to-date again.

The easiest way to reduce your risk is to stay off questionable sites
(especially porn and warez sites) and keep AV and your other software up to
date.

Anyone who is worried but wants to use preview can enable plain text in the
preview or use Chilton preview - it's no more '3rd party' than pocketknife
peek and makes reading mail much faster than PP. Me? I'm not shaking in my
shoes over this one and I certainly won't recommend anyone disable preview
to prevent it - i will tell them to make sure they have the latest patches
for their versions because they are still at risk if they disable preview
but open the message.

--
Diane Poremsky [MVP - Outlook]
Author, Teach Yourself Outlook 2003 in 24 Hours
Coauthor, OneNote 2003 for Windows (Visual QuickStart Guide)
Author, Google and Other Search Engines (Visual QuickStart Guide)



Join OneNote Tips mailing list: http://www.onenote-tips.net/


Diane have you seen this?

Cursor and Icon Format Handling Vulnerability - CAN-2004-1049:

A remote code execution vulnerability exists in the way that cursor,
animated cursor, and icon formats are handled. An attacker could try to
exploit the vulnerability by constructing a malicious cursor or icon file
that could potentially allow remote code execution if a user visited a
malicious Web site or viewed a malicious e-mail message. An attacker who
successfully exploited this vulnerability could take complete control of an
affected system.

Now do you believe that Previewing a "malicious e-mail message" is
sufficient to avoid this? I suggest NOT. And I suggest that Microsoft
although probably would tell us one way or the other won't. Sure go ahead
and install the security update. But that's today. Which has been my point
all along. Don't preview and you don't have to worry about it. Pretty
simple.

 

[George Hester]

"Yes, i have. I take into the consideration if the risk outweighs the
convenience "

We all do that at least I hope so. But that works both ways. Should we apply security fixes that Microsoft
releases for the same reason? Convience in this case meaning using things we come to like. Will these get
broke by applying the security fix?

Diane my point was Preview is a vector that can be exploited. It's happened before and will continue to
happen. If we don't preview then we avoid that vector. Without applying security fixes which have a nasty
habit of breaking things we like. Newsgroups are full of it.

So we are down to this. I want to use Preview and what should I do to best protect myself? My answer is
don't use it. Your suggestions were probably more to the point and in all likelihood doing as you say will
avoid any issues for the forseeable future.

 

[Jeff Stephenson [MSFT]]

Diane my point was Preview is a vector that can be exploited. It's happened before and will continue to
happen. If we don't preview then we avoid that vector. Without applying security fixes which have a nasty
habit of breaking things we like. Newsgroups are full of it.

And the way to avoid a head-on collision is to not drive a car, but I don't
see many people walking or biking wherever they go...

Both I and my wife have been using Outlook - with preview pane on -
extensively for the last 8 years. The only time either of us has ever been
infected was not because of Outlook but because of the few minutes between
the time I installed Windows and the time I installed its updates on a
network infected with Blaster.

Your attitude of "don't use feature X - it might be dangerous" makes me
wonder why you're even connected to the Internet. After all, isn't that
where all these threats come from? Get off the 'Net and you'll really be
safe...

 

[George Hester]

OI guess you didn't read this:

"Yes, i have. I take into the consideration if the risk outweighs the
convenience "

That I agree with whole heartedly. I am not a Luddite and I am also not a fool.

We take into consideration the risk as opposed to the benefit. And the ease of implementation. It is very
easy to avoid Preview. Not a problem. In that case the risk is not worth it. It is also relatively easy to
avoid issues on the Net. The benefit outweighs the risk in that case. Which applies to your car example.

It would be very difficult to get around without a car. It is not so difficult to avoid Preview. Just doesn't
look as nice. Again the benefit (my sense of esthetics) doesn't trump the risk.

 

[Jeff Stephenson [MSFT]]

We take into consideration the risk as opposed to the benefit. And the
ease of implementation. It is very easy to avoid Preview. Not a
problem. In that case the risk is not worth it. It is also relatively
easy to avoid issues on the Net. The benefit outweighs the risk in that
case. Which applies to your car example.

It would be very difficult to get around without a car. It is not so
difficult to avoid Preview. Just doesn't look as nice. Again the
benefit (my sense of esthetics) doesn't trump the risk.

So that all sounds very reasonable, but I quote from your reply to the
initial post:

Oh yes very dangerous. See the files that may get d/l or put on your
machine by previewing are no different then what you can get on your
machine by visiting the dubious sites the sppammers want you to go to.

Suddenly, it's not just esthetics vs. risk - when someone asked about
whether preview was safe, your answer was that it is "very dangerous".
That simply isn't true.

Microsoft has put a lot of effort in convincing users that the preview of
e-mail issue here in Outlook has been fixed. Well now don't believe
them because tomorrow they'll have another fix. Count on it.

And the fix will make it even safer than it already is. What level of
safety do you need before you're willing to abandon plain text? Your
answer did not say "well, there isn't a lot of danger, but since I don't
really care about esthetics I choose avoid even the slightest risk and turn
preview off", it said preview was "very dangerous".

 

[George Hester]

"Suddenly, it's not just esthetics vs. risk"

I think you misunderstood me. Wanting the preview is a desire for esthetics over what I see as the
perceived risk. I also posted a recent security update from Microsoft which addresses malicious e-mail.
Now I do NOT trust Microsoft under any circumstances to address security issues. They have proven
themselves time and time again that their security fixes are either worthless or cause more problems then they
are supposed to fix. What that tells me is it is up to me to be my own "security" cop. And this "security"
cop says do NOT trust Microsoft to determine what is and what is not safe. It is musch safer to NOT use
Preview then trust what anyone says about its immunity.

Until Microsoft can start issuing security fixes that are truthful, non-damaging, and work I won't be installing
any security fix that I have questions about what it's going to do. Those that I know work and do
not cause residual bad effects they go in. And that's it. It's sort of like these AV applications. You get the
updates and we think we are immune to all the nasties out there. And in the meantime I have to fight with
30,000 41KB viruses sent to my email. All because AV says we're fine. Hogwash.

 

[Jeff Stephenson [MSFT]]

I think you misunderstood me. Wanting the preview is a desire for
esthetics over what I see as the perceived risk. I also posted a recent
security update from Microsoft which addresses malicious e-mail. Now I
do NOT trust Microsoft under any circumstances to address security
issues. They have proven themselves time and time again that their
security fixes are either worthless or cause more problems then they are
supposed to fix. What that tells me is it is up to me to be my own
"security" cop. And this "security" cop says do NOT trust Microsoft to
determine what is and what is not safe. It is musch safer to NOT use
Preview then trust what anyone says about its immunity.

Until Microsoft can start issuing security fixes that are truthful,
non-damaging, and work I won't be installing any security fix that I
have questions about what it's going to do. Those that I know work and
do not cause residual bad effects they go in. And that's it. It's sort
of like these AV applications. You get the updates and we think we are
immune to all the nasties out there. And in the meantime I have to
fight with 30,000 41KB viruses sent to my email. All because AV says
we're fine. Hogwash.

Wow.

Well, you're welcome to be as paranoid as you like. Me, I install all
security patches as they're released and have always read all my mail
(including *lots* of spam - I like to keep on top of what spammers are
doing) in the preview pane. In fact I rarely actually open a message. So
far, 10+ years and counting of no infections. Seems to me my track record
is at least as good as yours, but much more esthetically pleasing...

 

[George Hester]

I never open email anymore also. Mostly never and yes I like to see what the spammers are up to also. It's
kind of funny. Well Jeff a nice discussion really esthetics not withstanding. Oh I forgot I do use preview in
one place. And that is here in OEX. I guess I could turn that off and read the source of newposts but ooh
that would be a too much work.