Re: Outlook converts my HTML email to text
- From: "Vanguard" <vanguard.news@xxxxxxxxxxxx>
- Date: Sun, 28 May 2006 15:39:41 -0500
"Sue Mosher [MVP-Outlook]" <suemvp@xxxxxxxxxxxxxxx> wrote in message news:uRL$UblgGHA.1276@xxxxxxxxxxxxxxxxxxxxxxx
I've been following Outlook security issues for nearly 10 years now. Outlook blocks HTML scripts and executable attachments. The last significant vulnerability was eliminated years ago when the <iframe> tag was blocked. Potential vulnerabilities (none found in the wild that I can recall) are addressed with the occasional security patch for IE or Word, although we could all wish for those to come faster.
If you know of an instance in the past 5 years when an HTML message by itself caused an actual -- not a theoretical -- problem on a system running a fully patched, current version of Outlook, I'm sure we'd all be able to learn something from it, but I don't recall such a case. I'm always willing to learn, though.
--
Sue Mosher, Outlook MVP
Author of Configuring Microsoft Outlook 2003
http://www.turtleflock.com/olconfig/index.htm
and Microsoft Outlook Programming - Jumpstart for
Administrators, Power Users, and Developers
http://www.outlookcode.com/jumpstart.aspx
"Melelina" <melelina@xxxxxxxxxxxx> wrote in message news:e5o0QjjgGHA.3588@xxxxxxxxxxxxxxxxxxxxxxx
With such astounding ignorance displayed, I have no idea where to start! Do
you know anything about computer security? Why don't you start reading the
dslreports.com security forum and Wilderssecurity.com and castlecops.com and
get some much needed education?
"Sue Mosher [MVP-Outlook]" <suemvp@xxxxxxxxxxxxxxx> wrote in message
news:OWyQ82egGHA.4404@xxxxxxxxxxxxxxxxxxxxxxx
HTML mail is not dangerous. What makes you think that it is?
"Melelina" <melelina@xxxxxxxxxxxx> wrote in message
news:e52shTegGHA.3996@xxxxxxxxxxxxxxxxxxxxxxx
Why would you want to view mail in HTML? That is dangerous. All mail
should
be read and replied to in plain text for security reasons.
"Dena Jo" <me@xxxxxxxxxxx> wrote in message
news:Xns97D04AD6B6C9FDenaJo@xxxxxxxxxxxxxx
But only occasionally, and I have to click on the message bar and
choose Display as HTML to see it as it was meant to be seen. How can I
stop Outlook from arbitrarily displaying HTML email as text?
The last security flaw that I heard about was the one involving images. If the e-mail client displayed the image, it was possible to infiltrate the host. However, that really wasn't a fault in Outlook. That was a fault in the graphics engine back in Windows, so the infiltration occurred in any e-mail client that showed the image. The infiltration occurred even when no e-mail client was used and the user simply opened the image file. The file didn't even have to come via an e-mail client. Some nasty web sites used the technique in the graphics they showed on their pages.
Only ignorant users would *change* the security zone from Restricted Sites to Internet. Some do because they want Javascript or applets running in their e-mails but then they have deliberately chosen to reduce security. The default in Outlook is to render HTML-formatted e-mails in the Restricted Sites security zone, and the default for the Restricted Sites security zone is at its High settings level. If you reduce either of those, you are the idiot for doing so and shouldn't waste anyone's time whining about infections because of YOUR choices to reduce security.
The only remaining security hole that none of the security zones address is the use of the web beacon (or web bug). None of them restrict linked content, like a graphic image (which you may not even see since it could be one pixel that is the same color as the background). It wasn't until the option got added to Outlook [Express] to block Internet content that this hole got addressed. I don't remember if it was set by default, so check that it is set. If you really need to see those linked images, you get an infobar to make that choice, but it is still YOUR choice to go yank those images from someone else's server that can track that you yanked those images.
So, Melelina, rather than spew vaguities regarding what you aggregated from others' posts, please explain to us just how HTML-formatted e-mails can cause harm? With settings of Restricted Sites at its High level and with the option to block linked content, please favor us with some real information regarding how HTML-formatted e-mails can cause harm (other than to bloat a message that could've been easily sent as just plain text). We are waiting for some real information, not regurgitation of some nebulous feelings. If you have real info on an attack vector though HTML-formatted e-mails when using Outlook, we would definitely like to hear about it.
--
__________________________________________________
Post replies to the newsgroup. Share with others.
For e-mail: Remove "NIX" and add "#VN" to Subject.
__________________________________________________
.
- References:
- Outlook converts my HTML email to text
- From: Dena Jo
- Re: Outlook converts my HTML email to text
- From: Melelina
- Re: Outlook converts my HTML email to text
- From: Sue Mosher [MVP-Outlook]
- Re: Outlook converts my HTML email to text
- From: Melelina
- Re: Outlook converts my HTML email to text
- From: Sue Mosher [MVP-Outlook]
- Outlook converts my HTML email to text
- Prev by Date: OE cannot start as MSOE.dll cannot beloaded
- Next by Date: Re: rules how to????
- Previous by thread: Re: Outlook converts my HTML email to text
- Next by thread: Re: Outlook converts my HTML email to text
- Index(es):
Relevant Pages
|
