Home page logo
/

basics logo Security Basics mailing list archives

RE: MS Outlook/Outlook Express Preview Pane Security Issue?
From: "Dozal, Tim" <tdozal () cisco com>
Date: Mon, 29 Mar 2004 15:30:26 -0800

Kurt,

The biggest problem I saw with the preview pane is it could be tricked
into execuiting code on your system even with no attachment present.  If
you disable all HTML e-mail then you might avoid this but if you receive
HTML embedded in your e-mail as most people do now days when using
Outlook of any version then you are at risk.  Even though you may be
filtering attachments and be running zone alarm your e-mail client will
execute a lot of embedded HTML which basically acts like you are using a
browser and visiting somebody's web site to pull the content.  That
being said look into all of the vulnerabilities which require you to
visit a malicious web site and you will quickly fear web surfing all but
the most trusted sites.  Your system can easily be compromised via one
of those types of exploits merly from the preview pane acting like a
browser and pulling content from a site embeded in the mail message
body.

Again as I posted before, anything but Outlook 2003 I would recommend
against the preview pane.


Tim 


-----Original Message-----
From: Kurt [mailto:kurtbuff () spro net] 
Sent: Friday, March 26, 2004 3:43 PM
To: security-basics () securityfocus com
Subject: RE: MS Outlook/Outlook Express Preview Pane Security Issue?

I beg to differ.

First thing *I* do with Outlook (I use OL2k, don't use OE - hate it) is
set security on it, and turn off everything.

Go to Tools/Options/Security/Zone Settings/Custom Settings, and disable
everything.

Preview pane has not ever bitten me. I'm sure that's in part because I'm
just very careful anyway, but setting security does do a lot. As well,
I'm using Zone Alarm, and it strips all executable attachments (google
for Martin Blackstone's List of Danger).

-----Original Message-----
From: Justin F. Knox [mailto:jknox () indexzero org]
Sent: Thursday, March 25, 2004 16:15
To: security-basics () securityfocus com
Subject: RE: MS Outlook/Outlook Express Preview Pane Security Issue?



Is there any security/privacy risk in enabling the preview pane in
Microsoft
Outlook and Outlook Express even when latest patches are installed?

I'd say yes, because it's still unsecured even with the latest round of

patches. Now Outlook 2003's preview pane won't download images or
render
script, unless you turn it on. For that I'd still say no, but I've been

testing it out and haven't had a problem yet. I just use Auto Preview
in
Outlook, work ok and renders in plain text.

I'd have to agree here. On any installation of Outlook that I'm to use,
the first thing to turn off is the preview pane. Simply because it
renders everything (or just about...). Very dangerous. It kind of
defeats the purpose of telling your users not to open e-mails with
'blah' for an attachment if their MUA does it for them.

just my $0.02.

--Justin


------------------------------------------------------------------------
---
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
off any course! All of our class sizes are guaranteed to be 10 students
or less to facilitate one-on-one interaction with one of our expert
instructors.
Attend a course taught by an expert instructor with years of
in-the-field pen testing experience in our state of the art hacking lab.
Master the skills of an Ethical Hacker to better assess the security of
your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------
----



------------------------------------------------------------------------
---
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
off any course! All of our class sizes are guaranteed to be 10 students
or less to facilitate one-on-one interaction with one of our expert
instructors. 
Attend a course taught by an expert instructor with years of
in-the-field pen testing experience in our state of the art hacking lab.
Master the skills of an Ethical Hacker to better assess the security of
your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------
----




---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]