This article does not apply to the latest versions of Outlook and Windows.
Several vulnerabilities in HTML mail make it possible for malicious code or file attachments to launch when you preview a message in some versions of Outlook, unless you have the latest patches for Internet Explorer.
The lesson: Not only do you need to keep your anti-virus software updated and scan any attachments before opening them, but you should also stay current with updates to Internet Explorer, whose components are used to display HTML format mail messages in Outlook 98 and later versions. For example, the latest update for IE neutralizes the <IFRAME> tag used by Klez and other recent viruses. (NOTE: This update will cause a change in the appearance of the Find pane in Outlook 2000 and the Organize pane in Outlook 2000 and 2002. The problem is that, for some reason, the update interferes with the loading of the cascading style sheet used for those panes, which are controlled by HTML code in an Outlook .dll. The benefit of the greater security protection far outweighs this cosmetic annoyance.)
Microsoft has issued a security bulletin, MS02-021 E-mail Editor Flaw Could Lead to Script Execution on Reply or Forward, with a patch to fix the security vulnerability recently publicized by security consultant Georgi Guninski. The reported exploit could allow malicious script to run when a user replies to or forwards a message and is using WordMail as the editor. Prerequisites for the patch: For Word 2002, Office XP Service Pack 1. For Word 2000, Office 2000 Service Release 1/1a.
See Protecting Microsoft Outlook against Viruses for details on techniques for preventing viruses from entering your system through Outlook or propagating to Outlook address book entries.
Office XP Service Pack 1 adds a new feature to Outlook 2002 -- the ability to display all incoming messages (except those that are digitally signed or encrypted) in plain text format. The original HTML or rich-text content is still present in the message, but in both an open message and the preview pane, the user sees only plain text. OL2002 Users Can Read Nonsecure E-mail As Plain Text explains this new feature and cautions that it can have an effect on custom Outlook solutions.
Unless your installed web browsers are current with the latest patches, you may be running a risk of virus infection via an HTML message. Current popular browsers will all auto-update to the newest releases. It is recommended that you do not disable this feature
Other HTML Mail Security Patches
MS03-014 Cumulative Patch for Outlook Express
Update for OE 5.5 and 6.0 that also affects rendering of HTML messages in Outlook or later. Important for avoiding infection with the Mimail virus, unless you are using a version of Outlook with the Email Security Update.
MS02-021 E-mail Editor Flaw Could Lead to Script Execution on Reply or Forward
Update for Word 2000 and Word 2002 to eliminate a vulnerability in HTML or RTF format mail that could allow malicious script to run when a user replies to or forwards a message and is using WordMail as the editor. Prerequisites: For Word 2002, Office XP Service Pack 1 -- included in Office XP Service Pack 2. For Word 2000, Office 2000 Service Release 1/1a.
MS01-038 - Outlook View Control Exposes Unsafe Functionality
Updated version of the Outlook View Control for Outlook 2000 and Outlook 2002 to cure a vulnerability that could allow malicious code in a web page to manipulate your local Outlook data. For Outlook 2002, this update is included in Office XP Service Pack 1.
Outlook 2000 Java Permissions Security Update
Security patch for Outlook 2000 to tighten permissions on the Microsoft Java virtual machine to prevent malicious Java code from running in an HTML message. The update requires the Outlook E-mail Security Update or Office 2000 SP-2. However, you can update the security settings manually by following the instructions in the article OL2000 Outlook Update for Java Permissions Security. Outlook 98 users should also follow the steps to change the permissions.
MS00-085 - Patch Available for 'ActiveX Parameter Validation Vulnerability
Windows 2000 only
Fixes a problem with an ActiveX control that could allow code in an HTML message to run via a buffer overrun. Also included in Windows 2000 Service Pack 2.
Office 2000 Security Update UA Control Vulnerability
Updates an Office 2000 ActiveX control to mark it "safe for scripting" and remove potentially dangerous behavior from the control. Also see:
- MS00-034 - Patch Available for "Office 2000 UA Control" Vulnerability.
- OFF2000 Update Available for Office 2000 UA Control Vulnerability
- How to Update an Administrative Installation with the UA Control Security Update
- To convert incoming HTML messages to Outlook Rich Text or plain text format -- Outlook 2000 VBA code sample for Corporate/Workgroup mode users to convert incoming HTML-format messages to Rich Text or plain text format automatically
- Anti-virus Tools
- Outlook 2000 Patches and Updates
- Outlook 2002 Versions and Updates