"It really is a wiretap and it's very illegal and very easy to do," said Richard Smith, chief technology officer for the Privacy Foundation based in Denver, in a column he wrote for the non-profit educational and research organisation. The vulnerability exists in mail that uses HTML (HyperText Markup Language).
The Microsoft Security Response Centre investigated the exploit when it was first discovered more than two years ago and looked into it again two weeks ago when contacted by Smith, a company spokeswoman said.
"This is not a product flaw -- this is inherently in the nature of HTML mail," the spokeswoman said. "Customers who do not want this functionality can disable it. It's disabled by default on recent versions of our e-mail clients."
The Outlook Security Patch, which has been available for almost a year, configures Outlook in a way that prevents scripts from running in HTML e-mails. The most recent version of Outlook Express disables the scripting in HTML e-mails by default, the spokeswoman said.
Smith, in his column, worries that the exploit may be used often and people may try to gain access to information that they normally would not be privileged to see. For example, a user may send a resume via email and then learn what the potential employer thinks about his or her qualifications, Smith writes.
Smith's column and further information on the exploit can be viewed at http://www.privacyfoundation.org/.