Several vulnerabilities in HTML mail make it possible for malicious code or file attachments to launch when you preview a message in some versions of Outlook, unless you have the latest patches for Internet Explorer.
The lesson: Not only do you need to keep your anti-virus software updated and scan any attachments before opening them, but you should also stay current with updates to Internet Explorer, whose components are used to display HTML format mail messages in Outlook 98 and later versions. For example, the latest update for IE neutralizes the <IFRAME> tag used by Klez and other recent viruses. (NOTE: This update will cause a change in the appearance of the Find pane in Outlook 2000 and the Organize pane in Outlook 2000 and 2002. The problem is that, for some reason, the update interferes with the loading of the cascading style sheet used for those panes, which are controlled by HTML code in an Outlook .dll. The benefit of the greater security protection far outweighs this cosmetic annoyance.)
Microsoft has issued a security bulletin, MS02-021 E-mail Editor Flaw Could Lead to Script Execution on Reply or Forward, with a patch to fix the security vulnerability recently publicized by security consultant Georgi Guninski. The reported exploit could allow malicious script to run when a user replies to or forwards a message and is using WordMail as the editor. Prerequisites for the patch: For Word 2002, Office XP Service Pack 1. For Word 2000, Office 2000 Service Release 1/1a.
See Protecting Microsoft Outlook against Viruses for details on techniques for preventing viruses from entering your system through Outlook or propagating to Outlook address book entries.
Office XP Service Pack 1 adds a new feature to Outlook 2002 -- the ability to display all incoming messages (except those that are digitally signed or encrypted) in plain text format. The original HTML or rich-text content is still present in the message, but in both an open message and the preview pane, the user sees only plain text. OL2002 Users Can Read Nonsecure E-mail As Plain Text explains this new feature and cautions that it can have an effect on custom Outlook solutions.
Unless your copy of Internet Explorer is current with the latest patches, you may be running a risk of virus infection via an HTML message. If you don't know what version you have, see How to Determine Which Version of Internet Explorer Is Installed.
Use These Updates
IE 6.0 October 2003 Cumulative Patch for Internet Explorer IE 5.5 Service Pack 2
October 2003 Cumulative Patch for Internet Explorer Earlier versions Internet Explorer 6, using the Typical or Custom install (see IE 6.0 Note below)
October 2003 Cumulative Patch for Internet Explorer
Beginning with the April 2003 IE patch, the IE updates disable the Customize Outlook Today option in Outlook 2000. To restore this option, follow the instructions in OL2000 You Cannot Customize Outlook Today After You Install Critical Update 813489 for Internet Explorer.
As of October 28, 2001, Microsoft discontinued hotfix updates for IE versions before 5.5 SP2 (except for some for 5.01 on Windows 2000) and is no longer testing those versions of IE for newly discovered vulnerabilities. Therefore, earlier versions will not receive the patches they might need for complete HTML mail safety. If you are using an earlier version of IE, you should upgrade to IE 6.0 or, if you're using Windows 95, to IE 5.5 SP2. (Windows 95 users can update only to IE 5.5 SP2)
Other HTML Mail Security Patches
MS03-014 Cumulative Patch for Outlook Express
Update for OE 5.5 and 6.0 that also affects rendering of HTML messages in Outlook or later. Important for avoiding infection with the Mimail virus, unless you are using a version of Outlook with the Email Security Update.
MS02-021 E-mail Editor Flaw Could Lead to Script Execution on Reply or Forward
Update for Word 2000 and Word 2002 to eliminate a vulnerability in HTML or RTF format mail that could allow malicious script to run when a user replies to or forwards a message and is using WordMail as the editor. Prerequisites: For Word 2002, Office XP Service Pack 1 -- included in Office XP Service Pack 2. For Word 2000, Office 2000 Service Release 1/1a.
MS01-038 - Outlook View Control Exposes Unsafe Functionality
Updated version of the Outlook View Control for Outlook 2000 and Outlook 2002 to cure a vulnerability that could allow malicious code in a web page to manipulate your local Outlook data. For Outlook 2002, this update is included in Office XP Service Pack 1.
Outlook 2000 Java Permissions Security Update
Security patch for Outlook 2000 to tighten permissions on the Microsoft Java virtual machine to prevent malicious Java code from running in an HTML message. The update requires the Outlook E-mail Security Update or Office 2000 SP-2. However, you can update the security settings manually by following the instructions in the article OL2000 Outlook Update for Java Permissions Security. Outlook 98 users should also follow the steps to change the permissions.
MS00-085 - Patch Available for 'ActiveX Parameter Validation� Vulnerability
Windows 2000 only
Fixes a problem with an ActiveX control that could allow code in an HTML message to run via a buffer overrun. Also included in Windows 2000 Service Pack 2.
Office 2000 Security Update UA Control Vulnerability
Updates an Office 2000 ActiveX control to mark it "safe for scripting" and remove potentially dangerous behavior from the control. Also see:
- MS00-034 - Patch Available for "Office 2000 UA Control" Vulnerability.
- OFF2000 Update Available for Office 2000 UA Control Vulnerability
- How to Update an Administrative Installation with the UA Control Security Update
- To convert incoming HTML messages to Outlook Rich Text or plain text format -- Outlook 2000 VBA code sample for Corporate/Workgroup mode users to convert incoming HTML-format messages to Rich Text or plain text format automatically
- Anti-virus Tools
- Outlook 98 Patches and Updates
- Outlook 2000 Patches and Updates
- Outlook 2002 Versions and Updates
- Unpatched IE security holes