Preview pane - dangerous?!

[Diane Poremsky [MVP]]

Diane my point was Preview is a vector that can be exploited. It's happened
before and will continue to
happen. If we don't preview then we avoid that vector. Without applying
security fixes which have a nasty
habit of breaking things we like. Newsgroups are full of it.
And my point is opening messages is just as dangerous but less useful. The
average person will not be productive using programs like pocketknife peek
to read their mail - time is money and it takes too much time to not use
preview. The risk of problems using outlook is so low - even if outlook 2000
sp1 with the june 2000 update is the last update ever installed - as long as
you don't open every attachment that comes or click every link you recieve
your chances of becoming infected are low. Low enough that saving time is
more important than taking longer to read mail. (Note I do recommend keeping
updated on the patches, because you could be unlucky once or someone less
savvy than you could use the computer.)
So we are down to this. I want to use Preview and what should I do to best
protect myself? My answer is
don't use it.
My answer is if you are so paranoid, I'd recommend not using outlook - your
best bet is something more than the 99.9% security outlook offers - like
Pine.

 

[George Hester]

Pine that's funny.

Time is money and an Excahange Admin that knows what they are doing isn't letting Spam into their Network.

I'm not a business here so Outlook isn't costing me anything or anyone else. But preview can cost me frustration because then I have to deal with those that use it; get the stuff it d/l into their TIF; and then start passing it around like a hot potato.

I understand you think it is immune to these issues. You have every right to feel that way. The spammers also thank you.
[/QUOTE][/QUOTE]
Diane my point was Preview is a vector that can be exploited. It's happened
before and will continue to
happen. If we don't preview then we avoid that vector. Without applying
security fixes which have a nasty
habit of breaking things we like. Newsgroups are full of it.
And my point is opening messages is just as dangerous but less useful. The
average person will not be productive using programs like pocketknife peek
to read their mail - time is money and it takes too much time to not use
preview. The risk of problems using outlook is so low - even if outlook 2000
sp1 with the june 2000 update is the last update ever installed - as long as
you don't open every attachment that comes or click every link you recieve
your chances of becoming infected are low. Low enough that saving time is
more important than taking longer to read mail. (Note I do recommend keeping
updated on the patches, because you could be unlucky once or someone less
savvy than you could use the computer.)
So we are down to this. I want to use Preview and what should I do to best
protect myself? My answer is
don't use it.
My answer is if you are so paranoid, I'd recommend not using outlook - your
best bet is something more than the 99.9% security outlook offers - like
Pine.
[/QUOTE]

 

[Vanguard]

Pine that's funny.

Time is money and an Excahange Admin that knows what they are doing
isn't letting Spam into their Network.

I'm not a business here so Outlook isn't costing me anything or anyone
else. But preview can cost me frustration because then I have to deal
with those that use it; get the stuff it d/l into their TIF; and then
start passing it around like a hot potato.

I understand you think it is immune to these issues. You have every
right to feel that way. The spammers also thank you.


*** REPLY SEPARATOR ***
(only needed due to use of quoted-printable format by quoted poster
since OE does not truncate and prefix with quote character for such
content to provide clear delineation of quoted content from response
content)

I looked at the add-in you suggested. Looks nice but I didn't see a
need for installing an add-in (for me) when I've already got AutoPreview
which gives me a good enough text-only preview of a message to see if it
is something that slipped past all the spam filtering. I'm still using
OL2002 which has a registry setting to let the user read in plain-text
only mode but then you are stuck in that mode for reading all e-mails.

I don't see the hazards that you do when using the Preview pane when
using the Restricted Sites security zone set to High except for web
bugs. That's why I use the AutoPreview pane (although I could also use
anti-spam software, like SpamPal with its HTML-Modify plug-in, to
disable any linked images). I believe OL2003 now has the feature that
you can block linked images but still choose to see them if you want.
So you could use the Preview pane and use the option, if available, to
block the linked images to get rid of the lingering web bug problem that
none of the security zones handle, or you could use AutoPreview to see
some of the message in plain-text mode. I guess if the AutoPreview mode
is not sufficient for your taste (i.e., you really need to see ALL of
the text version instead of just the first 3 or 4 lines) then the add-in
you mentioned is a good workaround.

I don't see that using AutoPreview mode or clicking between tabs for
your add-in as a significant time waste when reading e-mails but then
I'm not in a job where reading the most e-mails per minute is a measure
of my job efficiency.

Could you provide an example where using the Preview pane could incur an
intrusion or invasion by virus, script, or other HTML nasty (other than
web bugs)? I already know that none of the security zones will block
linked images and my older version of Outlook doesn't have the option to
block them until I choose to view them. Since the Restricted Sites
security zone is (or should be) used, which it is by default, and it
should be set to High, which it is by default, the HTML content become
static. No prompts for file downloads since file downloads is disabled.
No font downloads. No scripting, including Javascript. No Java (so no
local applets can run). No ActiveX downloads and any that already exist
locally cannot run. No server-side scripting to generate page content
because you aren't connected to their web server but instead rendering
the page content from the static copy in your local server (i.e., the
copy in Outlook's PST file). No metarefresh. No launching of programs
in frames. No subframes crossing domains (since, again, it is disabled
plus you aren't connected to their web server). Other than web bugs,
HTML e-mail seems pretty much neutered.

Know of any test sites where I can check the security of the Preview
pane? Yeah, I'll be Googling around to check but maybe you already know
of some.

 

[Guest]

WOW!!!

What can I say. Well, thank you all for your input and comments on this issue.

I will bring up your suggestions when I see my IT friends next time...that
should be fun

Nicole