As we approach the 2-year anniversary of the VBS.LoveLetter virus outbreak, which catapulted Outlook into the headlines, security problems continue to arise. Last week, Internet security and privacy expert Richard M. Smith posted a note to the Windows NTBugtraq mailing list that cited four problems with Outlook 2002—two security problems, one privacy problem, and one case of mixed messages from Microsoft—that Smith says probably affect earlier versions of Outlook as well.
According to Smith, the most significant security problem is that IFRAME tags in HTML messages can run files. IFRAME is an HTML element that Microsoft Internet Explorer (IE) uses to display a Web page or another document within a Web page or a mail message. If Windows considers an IFRAME source file "safe," the OS automatically launches the file when you view a Web page or mail message. But with bug hunters discovering a steady stream of ways in which supposedly safe files can execute harmful content, Smith recommends that Microsoft block all IFRAME content in HTML messages except HTML, image, and text files.
Smith's third complaint about Outlook 2002 is a privacy problem that might return both a cookie and your email address to a Web site. The site's administrators could then match the address with the previously anonymous data associated with that cookie. You're at risk for this privacy flaw only if you already have a cookie for the Web site and you receive a mail message constructed individually for you with an image whose source URL sends your address back to the Web site.
Finally, Smith thinks that the Outlook and IE teams should agree on the safest way to send Internet links by email. I agree. IE 6.0 insists on inserting a .url file in messages you create when you choose File, Send, Link by E-mail from your browser. However, if you've installed the Email Security Update, Outlook blocks those files. A text link, rather than a file attachment, would be safe and accessible for everyone. Let's hope that Microsoft soon can fix this feature in IE and also make IFRAME safer to use in HTML mail messages.