Our first article on the safety of Outlook, and specifically the reading pane, was published in EMO in April 2004. Although the original article is nearly 10 years old, it is every bit as true today. The fact that there have been no preview pane exploits in more than 10 years shows how safe the preview pane really is. Follow-up articles were published periodically.
Preview / Reading Pane Safety by version: The reading pane in Outlook 2003 and up is slightly safer to use than opening a message. This is because no active content will run in the reading pane. Outlook 2002 and Outlook 2000 post-SP1: these are secure. Anything prior to Outlook 2000 post-SP1 is NOT secure.
How Safe is the Reading Pane?
Published EMO, July 2010
I haven't written about reading pane safety in a few years as there is little need to: very few people ask about it anymore, thanks to the security features built into Outlook. Ten years have passed since Outlook could be used to automatically send virus infected messages or was less safe than any other email client and few people worry about Outlook triggering a virus without user interaction.
Recently, a user had this to say:
"All my email goes first through Mailwasher so that I can check the headers to ensure it is coming from where it says it is. Catches all the banking phishing. Then all email goes through Benign to remove all the call-home single pixel links to websites. Anything received which doesn't come from a known sender is then routed to a folder which does not have the reading pane enabled. Using 'Message Options' was the final check I made."
That's a lot of work for very little benefit. While i can understand using MailWasher or a junk filter to get rid of most of the really obvious junk before Outlook downloads it when your mail server doesn't filter for you, the rest is overkill and a waste of time.
Since Outlook 2003, Outlook has the ability to block web bugs and other external content and this feature is enabled by default. The junk email settings can be configured to allow downloaded content when the sender is trusted and it takes a second to enable it for any message as needed, making it really convenient to leave this enabled by default.
My preference is to leave all external content blocked and enable it for each message as needed. For the most part, friends won't send email that needs external content to be readable. Newsletters and advertisers do use external content but I don't always want or need to see their external content and enable it when I want to view it by clicking on the infobar to download blocked external content.
The reading pane in Outlook is very safe these days, in fact, its been safe to use since Outlook 2000 SP1's infamous security patch. In fact, the reading pane slightly safer than opening a message to read it. If you still don't trust the reading pane to not run active content, use Outlook's Read as plain text option. This converts all mail to plain text and its 100% safe, since nothing runs in plain text . With a simple click in the infobar, you can easily revert to HTML to read any message in HTML format. While most people use HTML because they feel it’s easier to read (myself included), most messages don't use HTML features or formatting that would require HTML, so messages from friends and colleagues will be readable. Advertisements and newsletters would be most affected and you can enable HTML for those as needed.
You can also configure Outlook to force you to save attachments before opening (if you don't trust yourself enough not to accidentally open zip and other attachments). This really isn't necessary for security as all attachments are written to the Temporary Internet files folder before Outlook opens them, so your antivirus should pick up any bad things in them. But since opening infected attachments is the only way newer versions of Outlook are involved in virus attacks, this is protection against accidentally opening messages. At the very least, it might slow a user down long enough to realize the message is not legitimate.
Use the Level1Remove DWORD force users to save file types not currently blocked. (Replace 14.0 with your version of Outlook.) Add the file extensions to the value in the format shown below. (If you prefer to block certain extensions completely, create a Level1Add value under the Security key.)
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Security DWORD: Level1Remove Values: .zip;.html;
See Block Additional Attachment Types for more information on this method and some add-ins that make it easier to manage blocked file attachments.
Frequently Asked Reading Pane and Preview Pane Questions
Some of my IT friends insist that it is dangerous to have the preview pane switched on in Outlook. Some of my IT friends say that it is not true that I can get a virus by simply viewing the message via the preview pane.
Some of her IT friends are correct-- you can't get a virus just by reading an email if you have all of the latest patches for your version of Outlook, Windows, and Internet Explorer. Even if you aren't completely up-to-date, you're still pretty safe using the preview pane, especially if you are using modern versions (Outlook 2007 and newer).
I switched off the option that an e-mail will be marked as read when I flick through my messages.
Marking a message read (or not marking it read) will not affect the security of the preview pane. It's the act of viewing the message that is risky. Because security is tighter on the preview pane than on opened messages, using it is slightly less risky than actually opening the message, but the reasons for this have nothing to do with the read state.
Can I can get a virus if I have the preview pane switched on but do not open the actual e-mail?!
Anything may be possible in the future, but at this time the answer is No, you can't get a virus by reading a message in preview.
Diane have you seen this? Cursor and Icon Format Handling Vulnerability - CAN-2004-1049. A remote code execution vulnerability exists in the way that cursor, animated cursor, and icon formats are handled. An attacker could try to exploit the vulnerability by constructing a malicious cursor or icon file that could potentially allow remote code execution if a user visited a malicious Web site or viewed a malicious e-mail message. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
Now do you believe that Previewing a "malicious e-mail message" is sufficient to avoid this? I suggest NOT. Don't preview and you don't have to worry about it. Pretty simple.
I've looked at that (and many other exploits) and there is a common denominator in most of these: the users need to perform a specific action to activate the exploit. In this case, they need to visit a specially crafted web page and click a link. Unless a popular site is hacked and compromised with this vulnerability, the user will need tricked into visiting the site and clicking. In either case, the problem isn't with Outlook and it's not something Microsoft can control.
HOW SAFE IS THE PREVIEW PANE?
Published EMO, April 2004
Every time a new virus or worm makes the news, Outlook users always ask if it's safe to use the preview pane. An article about MyDoom, published last week by InternetWeek.com, added to the confusion when it stated "All that the worm needs to propagate is a user that has an open Microsoft Windows preview pane in Outlook" and "If this Outlook pane is open, the worm automatically scours the user's contacts and files." Both statements are far from the truth.
Outlook's attachment blocking features, added to Outlook beginning with an Outlook 2000 post-SP1 patch released in June 2000, means the preview pane in the later versions is very safe. Coupled with Internet Explorer's iFrame vulnerability patch released in 2001, Outlook's preview is very secure.
Each version of Outlook is more secure than the previous version, giving administrators little reason to disable the preview pane by default in Outlook 2002 or 2003. As always, it's best to stop infected messages at the server or gateway, which means few, if any, viruses should reach user's mailboxes. A responsible administrator will also remove executable file types from messages at the server level. As we all know, when viruses don't make it to the mailbox, the preview pane is 100% safe.
PREVIEW PANE SECURITY BY VERSION
Outlook 97 is very secure, since it cannot render HTML formatted messages. Since users can open HTML attachments which may contain exploits, you'll still need to use an antivirus scanner on the server and/or client.Outlook 98 is the least secure version. Use Chilton Preview instead of Outlook's own preview pane for the highest level of security. Chilton Preview doesn't render HTML and users can open the message or switch on the default preview pane to read HTML formatted mail. Preview pane security is much improved in Outlook 2000, especially with the attachment security and iFrame patches installed. Outlook 2000 doesn't run active content in the native preview pane, meaning it's at least as safe to read messages in preview as it is to open them. Chilton Preview makes Outlook 2000 100% secure.
Outlook 2002 has the attachment security features built in, making it very secure, unless administrators allow some file types.
However, iFrames may be a problem unless the iFrame security patch is installed. While the native preview pane is very safe to use, Chilton preview can be used with Outlook 2002. Outlook 2002 SP1 allows you to disable HTML rendering on all messages by creating the read as plain registry key.
The preview pane in Outlook 2003 and above is very secure and there is no reason to disable the preview pane for antivirus reasons. Chilton Preview is not really needed with Outlook 2003 and up since those versions block downloaded content by default and users can disable HTML rendering from the Tools, Options, Preferences tab, E-mail Options dialog.
Chilton preview prevents HTML from rendering, it also prevents web bugs from identifying users. Note that it allows easy access to blocked attachments.