Also note that if there is any way to get Outlook Express to open a new IE
window with a document in automatically when it loads an email, then you
would be vulnerable if you only disabled scripting, etc. for mail and not
for "normal" web access. Is there a way to do this? I don't know of any.
But again, things are complex enough that I'm quite unwilling to say there
is no way to do it.
So while disabling all the "features" that you can when reading HTML mail
is definitely recommended and protects you against a lot of attacks, it is
not a complete solution. I seriously doubt that all the ways of
exploiting this issue without using scripting languages have been
Not that I have seen anyone publicly posting exploits that do things in
any of these ways (or any other way...), which I find odd, since there are
lots of vulnerable sites out there, and some vulnerabilities that are