Re: MS Outlook/Outlook Express Preview Pane Security Issue?

["Greg" <pchandyman () ozemail com au>]

----- Original Message -----
From: "Dozal, Tim" <tdozal () cisco com>
To: <kurtbuff () spro net>; <security-basics () securityfocus com>
Sent: Tuesday, March 30, 2004 9:30 AM
Subject: RE: MS Outlook/Outlook Express Preview Pane Security Issue?


> The biggest problem I saw with the preview pane is it could be tricked
> into execuiting code on your system even with no attachment present.  If

Yeah but that was patched at V5.5 level so it hasnt been a problem in a few
years for anyone who updated from lower versions.


> you disable all HTML e-mail then you might avoid this but if you receive
> HTML embedded in your e-mail as most people do now days when using

There was a worse problem at one time where just the existence of an email
in your inbox lead to troubles but that was so far back I cant even remember
it all, now. You didnt read it, just received it.

> Outlook of any version then you are at risk.  Even though you may be
> filtering attachments and be running zone alarm your e-mail client will
> execute a lot of embedded HTML which basically acts like you are using a
> browser and visiting somebody's web site to pull the content.  That

If you use Zone Alarm to disallow access for OE on port 80, you can overcome
that.


> Again as I posted before, anything but Outlook 2003 I would recommend
> against the preview pane.

None of my income is derived from anything other than Microsoft users
because that is all the businesses (tiny to small) around where I work use.
I have never had an infection problem in any machine I have touched, using
their products, since I have been doing their computer work nor has mine
ever been infected - which is not to say it wont ever happen of course, just
saying that poor old MS suffers the "red car syndrome". Eg, 100 cars on the
road, 90 red, the rest varying competing and useless colours. A survey comes
out saying that more red cars than any other are involved in fatal accidents
therefore red cars are a serious problem on the road. We all know that there
 are myriads of problems that can affect all computers but the one that is
swamping use of any other out in the world is the one that will always get
the most hits and the most notoriety as a result.

The way *nix is going, there is no doubt in my mind that their day is
coming, whether that is only a 5% jump in use or a jump to be nearly a
Microsoft. Whatever it ends up at it's peak, it will also be attracting more
problems as more people use it.

Don't forget, it's usually the nut behind the wheel that causes the problems
on the road.

Greg.


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------