As we approach the 2-year anniversary of the VBS.LoveLetter virus outbreak, which catapulted Outlook into the headlines, security problems continue to arise. Last week, Internet security and privacy expert Richard M. Smith posted a note to the Windows NTBugtraq mailing list that cited four problems with Outlook 2002—two security problems, one privacy problem, and one case of mixed messages from Microsoft—that Smith says probably affect earlier versions of Outlook as well.
According to Smith, the most significant security problem is that IFRAME tags in HTML messages can run files. IFRAME is an HTML element that Microsoft Internet Explorer (IE) uses to display a Web page or another document within a Web page or a mail message. If Windows considers an IFRAME source file "safe," the OS automatically launches the file when you view a Web page or mail message. But with bug hunters discovering a steady stream of ways in which supposedly safe files can execute harmful content, Smith recommends that Microsoft block all IFRAME content in HTML messages except HTML, image, and text files.
Another security problem Smith mentions is that although Outlook blocks JavaScript and VBScript in HTML messages, the application doesn't block the code in hyperlinks that use "javascript:" instead of "http: ". Because Outlook supports URLs of up to about 2000 characters—long enough to let malicious users exploit some known IE security holes—Smith recommends that you block "javascript:" and "about:" URLs in mail messages. This problem is less severe than the IFRAME problem because the JavaScript code doesn't run automatically—you must click the link before it will run. However, a malicious user can easily spoof a link in a mail message. Outlook 2002 doesn't give you a status bar that lets you view a link's target, as IE does, so the only way to confirm that a link points to a particular Web page is to read the entire message source. How many of you do that before you click a link in an HTML message?
Smith's third complaint about Outlook 2002 is a privacy problem that might return both a cookie and your email address to a Web site. The site's administrators could then match the address with the previously anonymous data associated with that cookie. You're at risk for this privacy flaw only if you already have a cookie for the Web site and you receive a mail message constructed individually for you with an image whose source URL sends your address back to the Web site.
Finally, Smith thinks that the Outlook and IE teams should agree on the safest way to send Internet links by email. I agree. IE 6.0 insists on inserting a .url file in messages you create when you choose File, Send, Link by E-mail from your browser. However, if you've installed the Email Security Update, Outlook blocks those files. A text link, rather than a file attachment, would be safe and accessible for everyone. Let's hope that Microsoft soon can fix this feature in IE and also make IFRAME safer to use in HTML mail messages.
