[34263] in bugtraq
MS Outlook/Outlook Express Preview Pane Security Issue
daemon@ATHENA.MIT.EDU (Jeff Uslan)
Fri Mar 26 18:22:11 2004
From: "Jeff Uslan" <jeff_uslan@speakeasy.net>
To: <jeff_uslan@speakeasy.net>
Date: Fri, 26 Mar 2004 10:49:10 -0800
Message-ID: <002201c41363$072371f0$020aa6c7@rodentking>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0023_01C4131F.F90031F0"
------=_NextPart_000_0023_01C4131F.F90031F0
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
FYI=20
Just a reminder that if you are using anything but Outlook 2003. The =
HTML
injection issues and other such exploits with just viewing the preview =
pane
have mostly been taken care of in the older versions but issues are =
still
popping up. If you want to use the preview pane I would recommend =
Outlook
2003 it has a greater security model and the preview pane will not =
execute
any HTML code or download any HTML embedded pictures unless you actually
tell it to on an e-mail by e-mail basis.
I believe some of these features will also be added to Outlook Express =
with
the release of XP SP2, but until then I'd steer clear of the preview =
pane on
older Outlook versions.
If your curious why you don't want embedded HTML pic's downloaded
automatically, this is a confirmation method used by spammers to verify =
you
received their e-mail and that your e-mail address is valid. =20
Regards,
Jeff Uslan, CISM, DHS
Chief Information Security Officer
Absolute Computer Security Consulting
jeff_uslan@speakeasy.net
* 805.498.3568 office
* 805.218.3182 cell =20
=20
------=_NextPart_000_0023_01C4131F.F90031F0--
