The Latest Trumors

How Good is Your Outlook?

Does your version of Microsoft Outlook or Outlook Express protect your computer from attack or the spread of viruses?

Unpatched or early versions of Microsoft's e-mail programs can allow the execution of malicious code, or allow viruses to transmit themselves to others. Only a year ago Microsoft issued patches for Internet Explorer to repair four major glitches in versions 5.01 through 6 that could let an attacker completely take over your PC or wipe your hard drive clean. With two of these holes, simply being connected to a malicious web site could initiate the attack; you wouldn't even have to click anything.

Unpatched versions of Outlook Express 5.5 and 6 contain a vulnerability that could allow a cracker to cause just as much harm. Merely receiving an e-mail -- without even opening it -- could automatically trigger the attack. But there's a twist: Even though the hole is in OE, you're also in danger if you use Outlook 98 through 2002 without updates. This risk exists because Outlook uses OE to provide some important features. If you run Outlook Express 6 or Outlook 2002 under the default Medium security setting, or Outlook 98 or 2000 with the Outlook Security Update loaded, you can block an automated e-mail attack but you're still vulnerable to clicking a tarnished link either in an e-mail or on a bad guy's web site.

Microsoft also discovered a security threat in its Java Virtual Machine, a component that has shipped with Windows since Windows 95, as well as with many versions of IE. The VM enables IE, Outlook, and Outlook Express to run Java applets. However, the key feature of the VM is broken: the part that ensures Java applets are not malicious.

Preventive medicine is the best kind. So get an updated version of Microsoft's VM, or (better yet) use Sun's version instead. Only last month Microsoft issued yet another Security Bulletin (MS04-009) describing a vulnerability in Microsoft Outlook that could allow code execution (828040). It was updated from "serious" to "critical."

What's the Difference?

For those of you who may be confused about these overlapping programs, here's a little more detail about them. Remember that, while you can read e-mail using both Outlook and Outlook Express on the same computer, you need to consider exactly how you're going to use each program. At work, you might choose to use Outlook for both your personal account and your corporate account. Or, you may want to use Outlook for your work e-mail and Outlook Express exclusively for your private e-mail. But whatever you decide, you shouldn't access the same e-mail account on the same computer using both programs, to avoid dividing the messages on that account between the two.

Outlook Express is the free e-mail client that was included with Microsoft Internet Explorer 4.x / 5.x / 6.x, Microsoft Windows operating systems 98 / Me / 2000 / XP, and Microsoft Office 98 / 2001 for the Macintosh (version 5.1 for OS 9.x). [Note: Macintosh users are not affected by these issues.] Outlook Express is designed for home users who gain access to their e-mail messages by dialing in to an Internet service provider (ISP). It's designed for use with any Internet standard system, including Simple Mail Transfer Protocol (SMTP), Post Office Protocol 3 (POP3), and Internet Mail Access Protocol (IMAP). It supports e-mail, news, and directory standards such as Lightweight Directory Access Protocol (LDAP), Multipurpose Internet Mail Extension Hypertext Markup Language (MHTML), Hypertext Markup Language (HTML), Secure/Multipurpose Internet Mail Extensions (S/MIME), and Network News Transfer Protocol (NNTP). Outlook Express includes migration tools that automatically import existing mail settings, address book entries, and e-mail messages from Eudora, Netscape, Microsoft Exchange Server, the Windows Inbox, and Outlook. OE also includes the ability to receive mail from multiple e-mail accounts, as well as the ability to create Inbox rules to manage and organize e-mail.

Outlook is a more robust stand-alone application that is shipped with the Microsoft Office Suite. However, unlike Outlook Express, it does not include a news client. (While Outlook 2003 may appear to support newsgroups, the newsreader actually opens an Outlook Express window.) It provides performance and integration with Internet Explorer, as well as e-mail, calendaring, and contact management, making it popular with business users. The final version of Outlook for Macintosh was 2001, replaced by Entourage (bundled with Office 2001 and X), a new application to m anage contacts, calendar items, tasks, notes and multiple e-mail accounts in one view. [None of the products for Macintosh are vulnerable to the Windows-based viruses or worms. The volume of infected e-mails may be annoying, but they won't harm systems running other platforms.]

Outlook organizes information to work seamlessly with Office applications. There are Inbox rules to filter and organize messages, and e-mail from multiple e-mail accounts, personal and group calendars, contacts, and tasks can be integrated and managed. Outlook is designed for use with the Internet (SMTP, POP3, and IMAP4), Exchange Server, or any other standards-based communication system that supports Messaging Application Programming Interface (MAPI), including voice mail. Outlook is based on Internet standards and supports e-mail, news, and directory standards, including LDAP, MHTML, NNTP, MIME, and S/MIME, vCalendar, vCard, iCalendar.

Outlook also offers the same import tools as those offered with Outlook Express to migrate from other e-mail clients, plus additional migration tools for Microsoft Mail, Microsoft Schedule+ 1.0, Microsoft Schedule+ 7.0, Lotus Organizer, NetManage ECCO, Starfish SideKick, Symantec ACT, and synchronization with Personal Digital Assistants (PDAs).

Some Tips to Help You Help Yourself

The biggest weakness is a feature shared by both programs, the support of HTML in e-mail messages. The following steps (reprinted from the Microsoft Knowledge Base) will help to minimize this vulnerability in Outlook Express.

Using Internet Explorer Security Zone to Disable Active Content in Hypertext Markup Language (HTML) E-mail

Security zones enable you to choose whether active content, such as ActiveX Controls and scripts, can be run from inside HTML e-mail messages in Outlook Express. By default, Outlook Express 6 uses the Restricted Zone instead of the Internet Zone. Microsoft Outlook Express 5.0 and Microsoft Outlook Express 5.5 used the Internet zone, which enables most active content to run . To customize your Internet Explorer security zone settings for Outlook Express:

[CAUTION: Changing security zone settings can expose your computer to potentially damaging code. Use caution when you change these settings.]

  1. Start Outlook Express, and then on the Tools menu, click Options .
  2. Click the Security tab, and then click either Restricted Sites Zone or Internet Zone (less secure, but more functional) in the Virus Protection section under Select the Internet Explorer security zone to use .
  3. Click OK to close the Options dialog box, and then quit Outlook Express.
  4. Start Internet Explorer, click Internet Options on the Tools menu, and then click Security .
  5. Click Custom Level for the security zone that you selected in Outlook Express. The security settings that you choose apply to Outlook Express as well as Internet Explorer.

How to Read all Messages in Plain Text (Service Pack 1 Only)

Starting with Service Pack 1, you can configure Outlook Express to read all e-mail in plain text format. Some HTML e-mail may not appear correctly in plain text, but no active content in the e-mail is run when you enable this setting. To read all messages as plain text in Outlook Express Service Pack 1:

  1. Start Outlook Express, and then on the Tools menu, click Options .
  2. Click the Read tab, and then click to select the Read all messages in plain text check box under Reading Messages .
  3. 3. Click OK .

Additional Configuration Help

How to Prevent Programs from Sending E-mail Without Your Approval

If you configure Outlook Express as the default mail handler (or simple MAPI client) on the General tab, Outlook Express processes requests by using Simple MAPI calls. Some viruses can use this functionality and spread by sending copies of e-mail messages that contain the virus to your contacts. By default, Outlook Express 6 prevents e-mail messages from being sent programmatically from Outlook Express without your knowledge by displaying a dialog that enables you to send or not to send the e-mail message.

Using the Internet Explorer Unsafe File List to Filter E-mail Attachments

To use the Internet Explorer unsafe file list to filter e-mail attachments:

  1. Start Outlook Express, and then on the Tools menu, click Options .
  2. Click the Security tab, and then click to select the Do not allow attachments to be saved or opened that could potentially be a virus check box under Virus Protection .
  3. This option is enabled by default in Outlook Express Service Pack 1 (SP1). If you enable this option, Outlook Express uses the Internet Explorer 6 unsafe file list and the Confirm open after download setting in Folder Options to determine whether a file is safe. Any e-mail attachment with a file type reported as "unsafe" is blocked from being downloaded.

NOTE : The Internet Explorer 6 unsafe file list includes any file types that may have script or code associated with them. To add additional file types to be blocked or remove file types that should not be blocked:

  1. Click Start , point to Settings (or click Control Panel ), and then click Control Panel (or switch to Classic View or View All Control Panel Options ).
  2. Double-click Folder Options .
  3. On the File Types tab, click to select the file type that you want to block or allow, and then click Advanced . If the file type you want to add is not listed, perform the following steps:
  4. Click New .
  5. In the Create New Extension dialog box, type the file extension you want to add to the unsafe file list.
  6. Click OK , and then click Advanced .
  7. Click to place a check mark (block) or remove the check mark (allow) from the Confirm open after download check box.

NOTE : You cannot remove the check from Confirm open after download to allow some file types. For example, .exe files are in the default unsafe file list in Internet Explorer and cannot be allowed.

How to Determine When Outlook Express Has Blocked an Attachment

When Outlook Express blocks an attachment, the following alert is displayed in the message alert bar at the top of the e-mail message:

Outlook Express removed access to the following unsafe attachments in your mail: file_ name1 , file_ name2 , and so on.

Avoiding Malicious Links

Although the following actions don't help you identify a deceptive (spoofed) web site or URL, they can help limit the damage from a successful attack from a spoofed web site or a malicious hyperlink. Bear in mind that they also restrict e-mail messages and web sites in the Internet zone from running scripts, ActiveX Controls, and other potentially damaging content.

Use your web content zones to help prevent web sites that are in the Internet zone from running scripts, running ActiveX Controls, or running other damaging content on your computer. First, set your Internet zone security level to High in Internet Explorer. To do so, follow these steps:

  1. On the Tools menu, click Internet Options .
  2. Click the Security tab, click Internet , and then click Default level .
  3. Move the slider to High , and then click OK .

Next, add the URLs for Web sites that you trust to the Trusted Sites zone. To do so, follow these steps:

  1. On the Tools menu, click Internet Options .
  2. Click the Security tab.
  3. Click Trusted sites .
  4. Click Sites .
  5. If the sites that you want to add do not require server verification, click to clear the Require server verification (https:) for all sites in this zone check box.
  6. Type the address of the Web site you want to add to the Trusted sites list.
  7. Click Add . Repeat steps 6 and 7 for each web site that you want to add.
  8. Click OK two times.

Using Virus Protection Features in Outlook / OE 6

Reading e-mail messages in plain text in Outlook or Outlook Express will allow you to see the full URL of any hyperlink and examine the address that Internet Explorer will use. Some of the characters that may appear in a URL that could lead to a spoofed Web site are %00 , %01 , or @. For example, a URL of the following form: "http://www.harmlesslink.com%01@badsite.com" will actually open "http://badsite.com," but the URL that appears in the address bar of Internet Explorer may show only "http://www.harmlesslink.com."

The last Outlook Email Security Update released for Outlook 98 and Outlook 2000 disables many of the features that allow viruses to spread quickly. The security update is also integrated into Office 2000 Service Pack 2. Outlook 2002 also has the features of the patch built in, with one major change -- Outlook 2002 users can modify the list of blocked attachments.

To find out whether your copy of Outlook includes the security update or can be updated, you should check the version number with the Help | About Microsoft Outlook command and compare it with this chart, which lists the versions with the security update:

  • Outlook 97: Not applicable, security update not available for Outlook 97
  • Outlook 98: Version 8.5.7806 and later
  • Outlook 2000: Version 9.0.0.4201 and later
  • Outlook 2002: All versions (10.0.x.x)
  • Outlook 2003: All versions (11.0.x.x)

The update makes it difficult, if not impossible, to execute program files in Outlook -- including VBScript .vbs files like those that spread Loveletter. It is also aimed at making it more difficult for a virus to use Outlook to transmit itself via e-mail. This aspect of the patch, however, means that some Outlook features will no longer function at all. In other cases, a user may need to authorize access by outside programs, such as bulk mail applications.

Disabling Active Scripting in Internet Explorer can prevent many pop-up windows from opening on your computer as well. To disable Active Scripting for a particular web site, you can add that site to the Restricted Sites zone, and then disable Active Scripting and other content for the Restricted Sites zone. This prevents most pop-ups from working, but only for the sites that you add to the Restricted Sites zone.

To add a site to the Restricted Sites zone in Internet Explorer:

  1. Start Internet Explorer.
  2. On the Tools menu, click Internet Options.
  3. Click the Security tab.
  4. Click Restricted Sites, and then click Sites.
  5. In the Add this Web site to the zone box, type the Web address for the site that you want to restrict, and then click Add. Repeat this step if you want to add other sites to the zone.
  6. Click OK.
  7. Click Default Level to set the Restricted Sites zone to the recommended level, which disables Active Scripting.
  8. Click OK.

Virus Protection features in Outlook Express 6 are found on Security tab of the Tools, Options dialog box.

Microsoft-assisted support for Outlook 97 and 98 have ended, so no additional patches will be issued. Help can be found only by searching or posting a question to newsgroups, or reviewing support documents that are posted on the HALNet Support page at www.hal-pc.org/support/ (scroll down to the "email" section).

To play it safe, you should update your Internet Explorer and Outlook or OE to the latest version and keep an eye out for those critical patches and updates. The newest versions are not OS-specific and are compatible with any Windows OS after Win98. Otherwise your PC may end up in the computer hospital in critical condition.