Security expert warns users to look out with Outlook

A security specialist issued a research note Thursday warning of a handful of flaws in Microsoft's Outlook 2002 e-mail software which he claimed could let "bad guys" cause havoc on a user's computer.

Independent security consultant Richard Smith pointed to four "questionable security policies" in Outlook 2002 which he said Microsoft has yet to fix, even though he notified the company of the problems over the last twelve months, according to Smith's note.

Microsoft did not immediately return calls seeking comment.

Smith said the most critical problem is that Outlook will automatically download potentially dangerous files sent in certain HTML (hypertext markup language) e-mail messages. The warning applied to e-mails with IFRAME HTML tags embedded in the message. If a user reads such an e-mail, Outlook will begin downloading executable files from a Web specified in the message.

"Outlook will put up a dialog box asking a user if they want to open the file, save it, or cancel the download," Smith wrote. "There is no security warning that the executable file might be dangerous. Unfortunately, the default action of the dialog is 'Open'."

Smith recommend that IFRAME tags be used only in conjunction with HTML, image and text files.

Another HTML-related flaw allows JavaScript code to run in e-mails even though scripting is turned off in the default settings of Outlook. A malicious hacker could bury the JavaScript code in a seemingly harmless link, causing hidden dangerous code to execute when the user clicks on a link, he said.

"In Outlook, URLs are limited to about 2,000 characters which is probably enough space to contain a simple worm which could exploit one of the know Internet Explorer security holes," Smith wrote.

In addition, Smith claimed that cookies can be set and read in HTML e-mails despite Outlook's default settings to turn cookies off. Cookies are small programs that collect information about which sites users visit on the Internet. While cookies can make life easier by identifying users when they return to a site, they can also be used to track Internet usage, making them a contentious privacy issue.

Smith contended that Microsoft's Outlook and Internet Explorer development teams disagree on the potential threat posed by .URL files, causing disruptive messages to occasionally appear when working with the two applications.

"The Outlook group sees them as security threat, while the IE group does not," Smith wrote.

He also noted that: "These problems likely affect earlier versions of Outlook as well as Outlook Express."

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Ashlee Vance

Computerworld

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?