New IE Update Blocks IFRAME in Outlook HTML Messages

Microsoft issued a critical update for Microsoft Internet Explorer (IE) last week in Microsoft Security Bulletin MS02-023 (15 May 2002 Cumulative Patch for Internet Explorer) that eliminates a longstanding vulnerability in HTML-format messages—the ability of an <IFRAME> tag to use the Internet Sites security zone, rather than the Restricted Sites zone, to launch a file attached to a message or to open a Web page inside a message. This vulnerability has contributed to the spread of Klez and some other viruses that use an <IFRAME> tag to launch a file when the user previews or opens an HTML message. Depending on the attachment security in place on the user's machine, the attachment that the <IFRAME> tag launches might run automatically, thus setting up a situation in which the user might not know that a message has an attached file or that the file has already starting running.

After you apply the update, which is available for IE 6.0, IE 5.5 Service Pack 1 (SP1) and SP2, and IE 5.0 SP2, Web pages from sites in the Restricted Sites zone will ignore <IFRAME> tags. Outlook 2002 and Outlook 2000 and Outlook 98 with the Outlook E-mail Security Update all use the Restricted Sites zone for HTML messages.

If you haven't installed the Outlook E-mail Security Update, after you download and install the IE update, you must manually set Outlook to use the Restricted Sites zone if you want to get the benefit of the <IFRAME> blocking. You can do so on the Security tab of Outlook's Tools, Options dialog box. Forcing Outlook to operate in the Restricted Sites zone also eliminates other potential vulnerabilities related to script in HTML messages.

Strangely enough, this IE update has some surprising consequences for Outlook 2002 and Outlook 2000 users. The appearance of the Organize pane in both versions and the Find pane in Outlook 2000 will no longer show white text links in the Tahoma font on a gray background. Instead, the links are the default underlined blue, which makes them difficult to see on the dark background, and the font is whatever font you have set as your default in IE.

The change in behavior is because of another fix in the IE update (the update patches six new vulnerabilities as well as all previously acknowledged problems). As GreyMagic Software reported, one vulnerability related to Cascading Style Sheets (CSS) makes it possible to read data from local files on the user's machine. Microsoft appears to have fixed this problem by making it impossible for an HTML page to load a style sheet from a <LINK> tag that points to a locally stored .css file, unless the user has placed in the Trusted Sites zone the domain hosting the Web page.

What does this fix have to do with Outlook? The content of the Find and Organize panes is stored in a DLL that's installed with Outlook. Also embedded in that resource DLL is the style sheet that changes the font settings for those panes. Because the style sheet is in a local file, the Find and Organize panes won't load it after you install the new IE update. To fix the problem, Microsoft will probably need to update the DLL to use inline styles instead of a style sheet.

Yes, this new CSS limitation is annoying (and will affect other applications that use .css files on local systems or in resource .dll files), but it's no reason not to install the IE patch. The benefits of greater security for HTML-format messages far outweigh the aggravation of this display issue.

15 May 2002 Cumulative Patch for Internet Explorer

GreyMagic Security Advisory GM#004-IE

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.