Security expert warns users to look out with Outlook

A security specialist issued a research note Thursday warning of a handful of flaws in Microsoft's Outlook 2002 e-mail software which he claimed could let "bad guys" cause havoc on a user's computer.

Independent security consultant Richard Smith pointed to four "questionable security policies" in Outlook 2002 which he said Microsoft has yet to fix, even though he notified the company of the problems over the last twelve months, according to Smith's note.

Microsoft did not immediately return calls seeking comment.

Smith said the most critical problem is that Outlook will automatically download potentially dangerous files sent in certain HTML (hypertext markup language) e-mail messages. The warning applied to e-mails with IFRAME HTML tags embedded in the message. If a user reads such an e-mail, Outlook will begin downloading executable files from a Web specified in the message.

"Outlook will put up a dialog box asking a user if they want to open the file, save it, or cancel the download," Smith wrote. "There is no security warning that the executable file might be dangerous. Unfortunately, the default action of the dialog is 'Open'."

Smith recommend that IFRAME tags be used only in conjunction with HTML, image and text files.

Another HTML-related flaw allows JavaScript code to run in e-mails even though scripting is turned off in the default settings of Outlook. A malicious hacker could bury the JavaScript code in a seemingly harmless link, causing hidden dangerous code to execute when the user clicks on a link, he said.

"In Outlook, URLs are limited to about 2,000 characters which is probably enough space to contain a simple worm which could exploit one of the know Internet Explorer security holes," Smith wrote.

In addition, Smith claimed that cookies can be set and read in HTML e-mails despite Outlook's default settings to turn cookies off. Cookies are small programs that collect information about which sites users visit on the Internet. While cookies can make life easier by identifying users when they return to a site, they can also be used to track Internet usage, making them a contentious privacy issue.

Smith contended that Microsoft's Outlook and Internet Explorer development teams disagree on the potential threat posed by .URL files, causing disruptive messages to occasionally appear when working with the two applications.

"The Outlook group sees them as security threat, while the IE group does not," Smith wrote.

He also noted that: "These problems likely affect earlier versions of Outlook as well as Outlook Express."

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Ashlee Vance

Computerworld
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?