Our first article on the safety of Outlook, and specifically the reading pane, was published in EMO in April 2004. Although the original article is 14 years old, it is every bit as true today. The fact that there have been no preview pane exploits in more than 14 years shows how safe the preview pane really is. Follow-up articles were published periodically.
The reading pane in Outlook is slightly safer to use than opening a message. This is because no active content will run in the reading pane. What about attachments? Like email, it's a little more secure because macros and other active content can't run.
Wondering if the thumbnail previews for image attachments are safe? See Is the Image Preview Secure?
How Safe is the Reading Pane?
Published EMO, July 2010
I haven't written about reading pane safety in a few years as there is little need to: very few people ask about it anymore, thanks to the security features built into Outlook. Ten years have passed since Outlook could be used to automatically send virus infected messages or was less safe than any other email client and few people worry about Outlook triggering a virus without user interaction.
Recently, a user had this to say:
"All my email goes first through Mailwasher so that I can check the headers to ensure it is coming from where it says it is. Catches all the banking phishing. Then all email goes through Benign to remove all the call-home single pixel links to websites. Anything received which doesn't come from a known sender is then routed to a folder which does not have the reading pane enabled. Using 'Message Options' was the final check I made."
That's a lot of work for very little benefit. While i can understand using MailWasher or a junk filter to get rid of most of the really obvious junk before Outlook downloads it when your mail server doesn't filter for you, the rest is overkill and a waste of time.
Since Outlook 2003, Outlook has the ability to block web bugs and other external content and this feature is enabled by default. The junk email settings can be configured to allow downloaded content when the sender is trusted and it takes a second to enable it for any message as needed, making it really convenient to leave this enabled by default.
My preference is to leave all external content blocked and enable it for each message as needed. For the most part, friends won't send email that needs external content to be readable. Newsletters and advertisers do use external content but I don't always want or need to see their external content and enable it when I want to view it by clicking on the infobar to download blocked external content.
The reading pane in Outlook is very safe these days, in fact, its been safe to use since Outlook 2000 SP1's infamous security patch. In fact, the reading pane slightly safer than opening a message to read it. If you still don't trust the reading pane to not run active content, use Outlook's Read as plain text option. This converts all mail to plain text and its 100% safe, since nothing runs in plain text . With a simple click in the infobar, you can easily revert to HTML to read any message in HTML format. While most people use HTML because they feel it’s easier to read (myself included), most messages don't use HTML features or formatting that would require HTML, so messages from friends and colleagues will be readable. Advertisements and newsletters would be most affected and you can enable HTML for those as needed.
You can also configure Outlook to force you to save attachments before opening (if you don't trust yourself enough not to accidentally open zip and other attachments). This really isn't necessary for security as all attachments are written to the Temporary Internet files folder before Outlook opens them, so your antivirus should pick up any bad things in them. But since opening infected attachments is the only way newer versions of Outlook are involved in virus attacks, this is protection against accidentally opening attachments. At the very least, it might slow a user down long enough to realize the message (and the attachments) is not legitimate.
Use the Level1Remove DWORD force users to save file types not currently blocked. (Replace 14.0 with your version of Outlook.) Add the file extensions to the value in the format shown below. (If you prefer to block certain extensions completely, create a Level1Add value under the Security key.)
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Security DWORD: Level1Remove Values: .zip;.html;
See Block Additional Attachment Types for more information on this method and some add-ins that make it easier to manage blocked file attachments.
Frequently Asked Reading / Preview Pane Questions
Some of my IT friends insist that it is dangerous to have the preview pane switched on in Outlook. Some of my IT friends say that it is not true that I can get a virus by simply viewing the message via the preview pane.
Some of her IT friends are correct-- you can't get a virus just by reading an email if you have all of the latest patches for your version of Outlook, Windows, and Internet Explorer. Even if you aren't completely up-to-date, you're still pretty safe using the preview pane, especially if you are using modern versions (Outlook 2007 and newer).
I switched off the option that an e-mail will be marked as read when I flick through my messages.
Marking a message read (or not marking it read) will not affect the security of the preview pane. It's the act of viewing the message that is risky. Because security is tighter on the preview pane than on opened messages, using it is slightly less risky than actually opening the message, but the reasons for this have nothing to do with the read state.
Can I can get a virus if I have the preview pane switched on but do not open the actual e-mail?!
Anything may be possible in the future, but at this time the answer is No, you can't get a virus by reading a message in preview.
Diane have you seen this? Cursor and Icon Format Handling Vulnerability - CAN-2004-1049. A remote code execution vulnerability exists in the way that cursor, animated cursor, and icon formats are handled. An attacker could try to exploit the vulnerability by constructing a malicious cursor or icon file that could potentially allow remote code execution if a user visited a malicious Web site or viewed a malicious e-mail message. An attacker who successfully exploited this vulnerability could take complete control of an affected system.Now do you believe that Previewing a "malicious e-mail message" is sufficient to avoid this? I suggest NOT. Don't preview and you don't have to worry about it. Pretty simple.
I've looked at that (and many other exploits) and there is a common denominator in most of these: the users need to perform a specific action to activate the exploit. In this case, they need to visit a specially crafted web page and click a link. Unless a popular site is hacked and compromised with this vulnerability, the user will need tricked into visiting the site and clicking. In either case, the problem isn't with Outlook and it's not something Microsoft can control.
Does this one set a precedent?
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1201
Q: Is the Preview Pane an attack vector for this vulnerability?
A: Yes, the Preview Pane is an attack vector.
I need to check - i think it's the attachment preview, not email, that is the issue. But opened messages would also be a problem too... and like most exploits these days, it doesn't happen on its own:
Is the reading pane of OWA also this safe? Thank you.
For the most part but because its in the browser, it would be easier for an exploit. The important thing is making sure you install updates, both for windows and your antivirus. Microsoft has this page - https://www.microsoft.com/en-us/trustcenter/security/office365-security - but its more about the overall service and backend. I'll see if i can find a better article, specific to owa.
Have you heard about the rtf vulnerability?
https://krebsonsecurity.com/2014/03/microsoft-warns-of-word-2010-exploit/
When researching it for work I found mention of the same/similar vulnerability in articles dated back to November 2010! They have almost the same information with regards to malicious code that can allow remote code to give access to a hacker with the same permissions as the user who tripped the code. And it does say that just previewing the rtf file is enough to get hit by the booby trap.
The reading pane is sandboxed so it should be safe, but I have a macro that converts RTF messages to plain text or HTML (better than using Read all as plain text setting IMHO).
Outlook & the latest RTF exploits
Read all messages as plain text