Exchange Messaging Outlook Volume 15, Number 20

How Safe is the Reading Pane?

I haven't written about reading pane safety in a few years as there is little need to: very few people ask about it anymore, thanks to the security features built into Outlook. Ten years have passed since Outlook could be used to automatically send virus infected messages or was less safe than any other email client and few people worry about Outlook triggering a virus without user interaction.

Recently, a user had this to say: "All my email goes first through Mailwasher so that I can check the headers to ensure it is coming from where it says it is. Catches all the banking phishing. Then all email goes through Benign to remove all the call-home single pixel links to websites. Anything received which doesn't come from a known sender is then routed to a folder which does not have the reading pane enabled. Using 'Message Options' was the final check I made."

That's a lot of work for very little benefit. While i can understand using MailWasher or a junk filter to get rid of most of the really obvious junk before Outlook downloads it when your mail server doesn't filter for you, the rest is overkill and a waste of time.

Since Outlook 2003, Outlook has the ability to block web bugs and other external content and this feature is enabled by default. The junk email settings can be configured to allow downloaded content when the sender is trusted and it takes a second to enable it for any message as needed, making it really convenient to leave this enabled by default.

My preference is to leave all external content blocked and enable it for each message as needed. For the most part, friends won't send email that needs external content to be readable. Newsletters and advertisers do use external content but I don't always want or need to see their external content and enable it when I want to view it by clicking on the infobar to download blocked external content.

The reading pane in Outlook is very safe these days, in fact, its been safe to use since Outlook 2000 SP1's infamous security patch. In fact, the reading pane slightly safer than opening a message to read it. If you still don't trust the reading pane to not run active content, use Outlook's Read as plain text option. This converts all mail to plain text and its 100% safe, since nothing runs in plain text . With a simple click in the infobar, you can easily revert to HTML to read any message in HTML format. While most people use HTML because they feel it’s easier to read (myself included), most messages don't use HTML features or formatting that would require HTML, so messages from friends and colleagues will be readable. Advertisements and newsletters would be most affected and you can enable HTML for those as needed.

You can also configure Outlook to force you to save attachments before opening (if you don't trust yourself enough not to accidentally open zip and other attachments). This really isn't necessary for security as all attachments are written to the Temporary Internet files folder before Outlook opens them, so your antivirus should pick up any bad things in them. But since opening infected attachments is the only way newer versions of Outlook are involved in virus attacks, this is protection against accidently opening messages. At the very least, it might slow a user down long enough to realize the message is not legitimate.

Use the Level1Remove DWORD force users to save file types not currently blocked. (Replace 14.0 with your version of Outlook.) Add the file extensions to the value in the format shown below. (If you prefer to block certain extensions completely, create a Level1Add value under the Security key.)

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Security
DWORD: Level1Remove
Values: .zip;.html;

See Block Additional Attachment Types for more information on this method and some add-ins that make it easier to manage blocked file attachments.

Our first article on the safety of Outlook, and specifically the reading pane, was published in EMO in April 2004
HOW SAFE IS THE PREVIEW PANE?

Outlook 2010 & Read-Only Attachments

Users who recently upgraded to Outlook 2010 are complaining about a change in behavior in Outlook 2010: When attachments are opened from a message, they are read-only. Users can no longer edit the attachment and save the changes in the back to the message, they need to save the attachment to the hard drive and reattach it.

Read complete article...

Customizing Outlook's Map Provider

Outlook 2010 uses Bing maps to map addresses for contacts but you can change it to other popular mapping services by editing the registry.

Open the registry editor and browse to
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Options\General

Right click and choose New, String Value. Enter MapScriptURL for the string value name. Double click on the MapScriptURL key to open it and enter the URL for another mapping service. For example, to use Google maps, you'd enter http://maps.google.com/?q=<0s>, <1s>, <2s>, <3s>, <4s>

Open a contact and click the Map It button to test. (You do not need to restart Outlook.)

This also works with Outlook 2000 and 2002 (change the version number in the registry key), but not with Outlook 2003 or 2007.

See Customize Outlook's Map Link for more information, URLs for other map services and ready to use registry files to make the changes.