RE: MS Outlook/Outlook Express Preview Pane Security Issue

["Drew Copley" <dcopley () eeye com>]

> -----Original Message-----
> From: Jeff Uslan [mailto:jeff_uslan () speakeasy net] 
> Sent: Friday, March 26, 2004 10:49 AM
> To: jeff_uslan () speakeasy net
> Subject: MS Outlook/Outlook Express Preview Pane Security Issue
>
>
> FYI 
>
>
> Just a reminder that if you are using anything but Outlook 
> 2003.  The HTML
> injection issues and other such exploits with just viewing 
> the preview pane
> have mostly been taken care of in the older versions but 
> issues are still
> popping up.  

'HTML injection issues and "other such exploits" with "justing viewing"
the email have been cropping up in older versions'... this does not mean
they will not happen in Outlook 2003.

There should definitely be some such bugs in Outlook 2003. There is a
lot of ground to cover where these situations could happen. (ie,
numerous message types, numerous automated functions -- just a lot of
code... and a past history... which gives us some probabilistic guess
about potential vulnerability.)

Outlook 2003 does provide numerous security enhancements, some which are
rather well hidden from users and a very nice Junk E Mail filter. Kudos
to them. [Though, they still have not figured out the simple task of
doing HTML email right. Or message threading. Another good indicator
there may be security bugs -- presence of poor or sloppy design issues
or non-security bugs.]

Outlook 2003 is not free, so expect it to be looked at later rather then
sooner by the larger body of security researchers.