Preview pane - dangerous?!
Nicole
switched on in Outlook. Some of my IT friends say that it is not true that I
can get a virus by simply viewing the message via the preview pane. I have
switched off the option that an e-mail will be marked as read when I flick
through my messages.
I love having the preview pane switched on as often I get messages from
e-mail addresses I would assume to be junk but when I read the content I
realise that it is an important message after all.
Does anyone have an answer if I can get a virus if I have the preview pane
switched on but do not open the actual e-mail?!
Regards
Nicole
Sue Mosher [MVP-Outlook]
have never patched Internet Explorer, they are very, very mistaken.
--
Sue Mosher, Outlook MVP
Author of
Microsoft Outlook Programming - Jumpstart for
Administrators, Power Users, and Developers
http://www.outlookcode.com/jumpstart.aspx
"Nicole" <Nic...@discussions.microsoft.com> wrote in message
news:272445B6-0FE3-49D0...@microsoft.com...
George Hester
then what you can get on your machine by visiting the dubious sites the sppammers want you to go to.
Microsoft has put a lot of effort in convincing users that the preview of e-mail issue here in Outlook has been
fixed. Well now don't believe them because tomorrow they'll have another fix. Count on it.
--
George Hester
_________________________________
"Nicole" <Nic...@discussions.microsoft.com> wrote in message news:272445B6-0FE3-49D0...@microsoft.com...
Vanguard
news:272445B6-0FE3-49D0...@microsoft.com...
Make sure the security zone selected within Outlook is the Restricted
Sites zone, and then check the Restricted Sites security zone is set to
its highest setting. That kills scripts from running, file and font
downloads, ActiveX downloads and execute, and everything potentially
nasty -- EXCEPT web bugs. None of the security zones have an option to
block linked images which could be used as web bugs.
Web bugs can alert the sender that you opened their e-mail so they know
they reached a valid e-mail address and that it is actively monitored.
If you want to see how web bugs can be used to trigger on someone
opening an HTML-formatted e-mail with linked images, visit MsgTag.com.
They provide a freebie tool that lets you insert a web bug into your
e-mail that will alert you when someone opens your HTML-formatted
message. It is for senders that try an to provide an end-around read
receipts because most recipients disable that feature or have it prompt
them (and they say no). However, it is damn easy to defeat web bugs.
Read your messages in plain-text mode, configure your e-mail client to
block linked images until you decide you want to see them (if this is an
option), or use an anti-spam proxy filter, like SpamPal and its
HTML-Modify plug-in, to disable the linked images (by renaming the <IMG>
tag to <XMG> which is a bogus tag but you can go into the HTML code if
you really needed to retrieve that image by getting the URL to it). I
experimented with MsgTag for awhile but got rid of for 3 reasons: (1) It
can be easily disabled by the methods I mentioned; (2) It is an invasion
of privacy in trying to "tap" your messages to see what the recipient
does with them (it should still be the recipient's choice if they ever
inform you that they got your message); and, (3) You must send in HTML
format for web bugs to work but you shouldn't be normally using HTML for
short memos, notes, or any message that really doesn't need HTML unless
formatting is crucial to connote additional content to your message,
like using tables for columnar data or showing integrals in an equation.
If you don't want to use the Preview pane (because you've been scared by
unsubstantiated horror stories by those yet to prove the insecurity of
using the Preview pane when under the Restricted Sites security zone set
to High) then instead use the AutoPreview mode. This will show the
first lines of each message in plain-text only format. In the message
list pane when using AutoPreview mode, you see the headers for the
message followed by a few lines of the body of the message as plain
text. That way, you can determine if it looks like a message that you
want to open before you fully open it.
--
_________________________________________________________________
Post your replies to the newsgroup. Share with others.
E-mail: vanguard_help AT yahoo.com (append "#NEWS#" to Subject)
_________________________________________________________________
Diane Poremsky [MVP]
it can't run as much active content as an opened message), especially in
newer versions with all of the current windows and Outlook patches
installed. If you don't trust MS, Chilton preview gives you a plain text
view of all of your mail - without ruining the html should you want to view
it in html. (Outlook 2003's plain text feature lets you swap back to html
quickly too.)
--
Diane Poremsky [MVP - Outlook]
Author, Teach Yourself Outlook 2003 in 24 Hours
Coauthor, OneNote 2003 for Windows (Visual QuickStart Guide)
Author, Google and Other Search Engines (Visual QuickStart Guide)
Outlook Tips: http://www.outlook-tips.net/
Outlook & Exchange Solutions Center: http://www.slipstick.com
Join OneNote Tips mailing list: http://www.onenote-tips.net/
"George Hester" <heste...@hotmail.com> wrote in message
news:Oq$AVzE%23EHA...@TK2MSFTNGP11.phx.gbl...
Diane Poremsky [MVP]
it - it's actually safer than opening a messages because it can't run as
much active content... if you are concerned, use Chilton preview instead -
it doesn't render html.
See http://www.slipstick.com/emo/2004/up040204.htm#preview for more
information on preview pane safety.
--
Diane Poremsky [MVP - Outlook]
Author, Teach Yourself Outlook 2003 in 24 Hours
Coauthor, OneNote 2003 for Windows (Visual QuickStart Guide)
Author, Google and Other Search Engines (Visual QuickStart Guide)
Outlook Tips: http://www.outlook-tips.net/
Outlook & Exchange Solutions Center: http://www.slipstick.com
Join OneNote Tips mailing list: http://www.onenote-tips.net/
"Nicole" <Nic...@discussions.microsoft.com> wrote in message
news:272445B6-0FE3-49D0...@microsoft.com...
Sue Mosher [MVP-Outlook]
from domains in the Trusted Sites zone and or from the Safe Senders list.
--
Sue Mosher, Outlook MVP
Author of
Microsoft Outlook Programming - Jumpstart for
Administrators, Power Users, and Developers
http://www.outlookcode.com/jumpstart.aspx
"Vanguard" <see_signature> wrote in message
news:%23%23ZTd4F%23EHA...@tk2msftngp13.phx.gbl...
George Hester
sent to myself or those I am sure have nothing dangerous in them. I can tell that by PocketKnife Peek.
Relying on a third-party or Microsoft to make the decision of what's safe and what's not is a sure fire way of
getting burned.
--
George Hester
_________________________________
"Diane Poremsky [MVP]" <diane.pore...@gmail.com> wrote in message news:#uEi5KG#EHA....@TK2MSFTNGP10.phx.gbl...
Jeff Stephenson [MSFT]
> I use PocketKnife Peek. I never open or preview a e-mail. Never. Except email from me that I know I've
> sent to myself or those I am sure have nothing dangerous in them. I can tell that by PocketKnife Peek.
>
> Relying on a third-party or Microsoft to make the decision of what's safe and what's not is a sure fire way of
> getting burned.
On the other hand, I've been using the preview pane in Outlook 2003 since
long before it shipped, and I've never been burned... Particularly in
Outlook 2003, the preview pane is quite safe.
--
Jeff Stephenson
Outlook Development
This posting is provided "AS IS" with no warranties, and confers no rights
George Hester
up with those things Outlook is disabling. That is one reason you get those funky named subfolders in TIF.
--
George Hester
_________________________________
"Jeff Stephenson [MSFT]" <steph...@online.microsoft.com> wrote in message news:12jp8r07qjmgo$.dlg@jeff.stephenson.microsoft.com...
Diane Poremsky [MVP]
aren't bugs BTW... and if you don't like it that outlook uses that location,
you can move it. Search outlook-tips.net for 'securetemp' for instructions.
The reason for the funky named folders is because of the security - outlook
uses the TIF as a securetemp folder to protect opened documents from the
prying eyes of other users. Additionally, all items loaded into preview are
written to the folder before outlook opens them - this allows your AV
software to scan them if you use autoprotect (and is why we don't recommend
scanning inbound mail at the desktop level).
--
"George Hester" <heste...@hotmail.com> wrote in message
news:ekiQARd%23EHA...@TK2MSFTNGP12.phx.gbl...
George Hester
Cursor and Icon Format Handling Vulnerability - CAN-2004-1049:
A remote code execution vulnerability exists in the way that cursor, animated cursor, and icon formats are handled. An attacker could try to exploit the vulnerability by constructing a malicious cursor or icon file that could potentially allow remote code execution if a user visited a malicious Web site or viewed a malicious e-mail message. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
Now do you believe that Previewing a "malicious e-mail message" is sufficient to avoid this? I suggest NOT. And I suggest that Microsoft although probably would tell us one way or the other won't. Sure go ahead and install the security update. But that's today. Which has been my point all along. Don't preview and you don't have to worry about it. Pretty simple.
--
George Hester
_________________________________
"Diane Poremsky [MVP]" <diane.pore...@gmail.com> wrote in message news:#k#Y88e#EHA....@TK2MSFTNGP14.phx.gbl...
Diane Poremsky [MVP]
convenience - this includes considering how prevalent the exploit is and
whether it's likely to become widespread and if other actions will help to
negate the issue. So many of the recent bulletins require user interaction -
when a user needs convinced to go to a specific site, download something, or
do any other action based on what an email says, they are going to have a
lot more problems than just ones caused by the exploits. That makes the
exploit less than critical IMHO. In this case, the risk to the average user
is low. Why? Read the mitigating factors:
>>
.In a Web-based attack scenario, an attacker would have to host a Web site
that contains a Web page that is used to exploit this vulnerability. An
attacker could also attempt to compromise a Web site to have it serve up a
Web page with malicious content attempting to exploit this vulnerability. An
attacker would have no way to force users to visit a Web site. Instead, an
attacker would have to persuade them to visit the Web site, typically by
getting them to click a link that takes them to the attacker's site or a
site compromised by the attacker.
>>
There's that old 'user intervention' thing...
>>
.By default, Outlook Express 6, Outlook 2002, and Outlook 2003 open HTML
e-mail messages in the Restricted sites zone. Additionally, Outlook 2000
opens HTML e-mail messages in the Restricted sites zone if the Outlook
E-mail Security Update has been installed. Outlook Express 5.5 Service Pack
2 opens HTML e-mail messages in the Restricted sites zone if Microsoft
Security Bulletin MS04-018 has been installed. The Restricted sites zone
helps reduce attacks that could attempt to exploit this vulnerability.
>>
Outlook has been somewhat protected from this since the security update
released in June 2000. This is 2005... there is no excuse to not have
Outlook protected. OL98 is at risk, but we've said all along that it's the
least secure of all versions... those users should definitely use Chilton
preview until they upgrade. OL97 is 100% safe from this an other HTML risks,
unless the user opens an HTML attachment.
>>
The risk of attack from the HTML e-mail vector can be significantly reduced
if you meet all the following conditions:
.Apply the update that is included with Microsoft Security Bulletin MS03-040
or a later Cumulative Security Update for Internet Explorer.
.Use Internet Explorer 6 or later.
.Use the Microsoft Outlook E-mail Security Update, use Microsoft Outlook
Express 6 or later, or use Microsoft Outlook 2000 Service Pack 2 or later in
its default configuration.
>>
There's that thing about keeping programs up-to-date again.
The easiest way to reduce your risk is to stay off questionable sites
(especially porn and warez sites) and keep AV and your other software up to
date.
Anyone who is worried but wants to use preview can enable plain text in the
preview or use Chilton preview - it's no more '3rd party' than pocketknife
peek and makes reading mail much faster than PP. Me? I'm not shaking in my
shoes over this one and I certainly won't recommend anyone disable preview
to prevent it - i will tell them to make sure they have the latest patches
for their versions because they are still at risk if they disable preview
but open the message.
--
Diane Poremsky [MVP - Outlook]
Author, Teach Yourself Outlook 2003 in 24 Hours
Coauthor, OneNote 2003 for Windows (Visual QuickStart Guide)
Author, Google and Other Search Engines (Visual QuickStart Guide)
Outlook Tips: http://www.outlook-tips.net/
Outlook & Exchange Solutions Center: http://www.slipstick.com
Join OneNote Tips mailing list: http://www.onenote-tips.net/
"George Hester" <heste...@hotmail.com> wrote in message
news:eNmfKVf%23EHA...@TK2MSFTNGP10.phx.gbl...
George Hester
convenience "
We all do that at least I hope so. But that works both ways. Should we apply security fixes that Microsoft
releases for the same reason? Convience in this case meaning using things we come to like. Will these get
broke by applying the security fix?
Diane my point was Preview is a vector that can be exploited. It's happened before and will continue to
happen. If we don't preview then we avoid that vector. Without applying security fixes which have a nasty
habit of breaking things we like. Newsgroups are full of it.
So we are down to this. I want to use Preview and what should I do to best protect myself? My answer is
don't use it. Your suggestions were probably more to the point and in all likelihood doing as you say will
avoid any issues for the forseeable future.
--
George Hester
_________________________________
"Diane Poremsky [MVP]" <diane.pore...@gmail.com> wrote in message news:O0wgtUk#EHA....@tk2msftngp13.phx.gbl...
Jeff Stephenson [MSFT]
> Diane my point was Preview is a vector that can be exploited. It's happened before and will continue to
> happen. If we don't preview then we avoid that vector. Without applying security fixes which have a nasty
> habit of breaking things we like. Newsgroups are full of it.
And the way to avoid a head-on collision is to not drive a car, but I don't
see many people walking or biking wherever they go...
Both I and my wife have been using Outlook - with preview pane on -
extensively for the last 8 years. The only time either of us has ever been
infected was not because of Outlook but because of the few minutes between
the time I installed Windows and the time I installed its updates on a
network infected with Blaster.
Your attitude of "don't use feature X - it might be dangerous" makes me
wonder why you're even connected to the Internet. After all, isn't that
where all these threats come from? Get off the 'Net and you'll really be
safe...
George Hester
"Yes, i have. I take into the consideration if the risk outweighs the
convenience "
That I agree with whole heartedly. I am not a Luddite and I am also not a fool.
We take into consideration the risk as opposed to the benefit. And the ease of implementation. It is very
easy to avoid Preview. Not a problem. In that case the risk is not worth it. It is also relatively easy to
avoid issues on the Net. The benefit outweighs the risk in that case. Which applies to your car example.
It would be very difficult to get around without a car. It is not so difficult to avoid Preview. Just doesn't
look as nice. Again the benefit (my sense of esthetics) doesn't trump the risk.
--
George Hester
_________________________________
"Jeff Stephenson [MSFT]" <steph...@online.microsoft.com> wrote in message news:j6taczcw...@jeff.stephenson.microsoft.com...
Jeff Stephenson [MSFT]
> We take into consideration the risk as opposed to the benefit. And the
> ease of implementation. It is very easy to avoid Preview. Not a
> problem. In that case the risk is not worth it. It is also relatively
> easy to avoid issues on the Net. The benefit outweighs the risk in that
> case. Which applies to your car example.
>
> It would be very difficult to get around without a car. It is not so
> difficult to avoid Preview. Just doesn't look as nice. Again the
> benefit (my sense of esthetics) doesn't trump the risk.
So that all sounds very reasonable, but I quote from your reply to the
initial post:
> Oh yes very dangerous. See the files that may get d/l or put on your
> machine by previewing are no different then what you can get on your
> machine by visiting the dubious sites the sppammers want you to go to.
Suddenly, it's not just esthetics vs. risk - when someone asked about
whether preview was safe, your answer was that it is "very dangerous".
That simply isn't true.
> Microsoft has put a lot of effort in convincing users that the preview of
> e-mail issue here in Outlook has been fixed. Well now don't believe
> them because tomorrow they'll have another fix. Count on it.
And the fix will make it even safer than it already is. What level of
safety do you need before you're willing to abandon plain text? Your
answer did not say "well, there isn't a lot of danger, but since I don't
really care about esthetics I choose avoid even the slightest risk and turn
preview off", it said preview was "very dangerous".
George Hester
I think you misunderstood me. Wanting the preview is a desire for esthetics over what I see as the
perceived risk. I also posted a recent security update from Microsoft which addresses malicious e-mail.
Now I do NOT trust Microsoft under any circumstances to address security issues. They have proven
themselves time and time again that their security fixes are either worthless or cause more problems then they
are supposed to fix. What that tells me is it is up to me to be my own "security" cop. And this "security"
cop says do NOT trust Microsoft to determine what is and what is not safe. It is musch safer to NOT use
Preview then trust what anyone says about its immunity.
Until Microsoft can start issuing security fixes that are truthful, non-damaging, and work I won't be installing
any security fix that I have questions about what it's going to do. Those that I know work and do
not cause residual bad effects they go in. And that's it. It's sort of like these AV applications. You get the
updates and we think we are immune to all the nasties out there. And in the meantime I have to fight with
30,000 41KB viruses sent to my email. All because AV says we're fine. Hogwash.
--
George Hester
_________________________________
"Jeff Stephenson [MSFT]" <steph...@online.microsoft.com> wrote in message news:em4tq2put05i$.dlg@jeff.stephenson.microsoft.com...
Jeff Stephenson [MSFT]
> I think you misunderstood me. Wanting the preview is a desire for
> esthetics over what I see as the perceived risk. I also posted a recent
> security update from Microsoft which addresses malicious e-mail. Now I
> do NOT trust Microsoft under any circumstances to address security
> issues. They have proven themselves time and time again that their
> security fixes are either worthless or cause more problems then they are
> supposed to fix. What that tells me is it is up to me to be my own
> "security" cop. And this "security" cop says do NOT trust Microsoft to
> determine what is and what is not safe. It is musch safer to NOT use
> Preview then trust what anyone says about its immunity.
>
> Until Microsoft can start issuing security fixes that are truthful,
> non-damaging, and work I won't be installing any security fix that I
> have questions about what it's going to do. Those that I know work and
> do not cause residual bad effects they go in. And that's it. It's sort
> of like these AV applications. You get the updates and we think we are
> immune to all the nasties out there. And in the meantime I have to
> fight with 30,000 41KB viruses sent to my email. All because AV says
> we're fine. Hogwash.
Wow.
Well, you're welcome to be as paranoid as you like. Me, I install all
security patches as they're released and have always read all my mail
(including *lots* of spam - I like to keep on top of what spammers are
doing) in the preview pane. In fact I rarely actually open a message. So
far, 10+ years and counting of no infections. Seems to me my track record
is at least as good as yours, but much more esthetically pleasing...
George Hester
kind of funny. Well Jeff a nice discussion really esthetics not withstanding. Oh I forgot I do use preview in
one place. And that is here in OEX. I guess I could turn that off and read the source of newposts but ooh
that would be a too much work.
--
George Hester
_________________________________
"Jeff Stephenson [MSFT]" <steph...@online.microsoft.com> wrote in message news:19llthxy9pc4f$.dlg@jeff.stephenson.microsoft.com...
Diane Poremsky [MVP]
Diane my point was Preview is a vector that can be exploited. It's happened
before and will continue to
happen. If we don't preview then we avoid that vector. Without applying
security fixes which have a nasty
habit of breaking things we like. Newsgroups are full of it.
>>
And my point is opening messages is just as dangerous but less useful. The
average person will not be productive using programs like pocketknife peek
to read their mail - time is money and it takes too much time to not use
preview. The risk of problems using outlook is so low - even if outlook 2000
sp1 with the june 2000 update is the last update ever installed - as long as
you don't open every attachment that comes or click every link you recieve
your chances of becoming infected are low. Low enough that saving time is
more important than taking longer to read mail. (Note I do recommend keeping
updated on the patches, because you could be unlucky once or someone less
savvy than you could use the computer.)
>>
So we are down to this. I want to use Preview and what should I do to best
protect myself? My answer is
don't use it.
>>
My answer is if you are so paranoid, I'd recommend not using outlook - your
best bet is something more than the 99.9% security outlook offers - like
Pine.
George Hester
Time is money and an Excahange Admin that knows what they are doing isn't letting Spam into their Network.
I'm not a business here so Outlook isn't costing me anything or anyone else. But preview can cost me frustration because then I have to deal with those that use it; get the stuff it d/l into their TIF; and then start passing it around like a hot potato.
I understand you think it is immune to these issues. You have every right to feel that way. The spammers also thank you.
--
George Hester
_________________________________
"Diane Poremsky [MVP]" <diane.pore...@gmail.com> wrote in message news:#GX0nG2#EHA....@TK2MSFTNGP12.phx.gbl...
Vanguard
Pine that's funny.
Time is money and an Excahange Admin that knows what they are doing
isn't letting Spam into their Network.
I'm not a business here so Outlook isn't costing me anything or anyone
else. But preview can cost me frustration because then I have to deal
with those that use it; get the stuff it d/l into their TIF; and then
start passing it around like a hot potato.
I understand you think it is immune to these issues. You have every
right to feel that way. The spammers also thank you.
*** REPLY SEPARATOR ***
(only needed due to use of quoted-printable format by quoted poster
since OE does not truncate and prefix with quote character for such
content to provide clear delineation of quoted content from response
content)
I looked at the add-in you suggested. Looks nice but I didn't see a
need for installing an add-in (for me) when I've already got AutoPreview
which gives me a good enough text-only preview of a message to see if it
is something that slipped past all the spam filtering. I'm still using
OL2002 which has a registry setting to let the user read in plain-text
only mode but then you are stuck in that mode for reading all e-mails.
I don't see the hazards that you do when using the Preview pane when
using the Restricted Sites security zone set to High except for web
bugs. That's why I use the AutoPreview pane (although I could also use
anti-spam software, like SpamPal with its HTML-Modify plug-in, to
disable any linked images). I believe OL2003 now has the feature that
you can block linked images but still choose to see them if you want.
So you could use the Preview pane and use the option, if available, to
block the linked images to get rid of the lingering web bug problem that
none of the security zones handle, or you could use AutoPreview to see
some of the message in plain-text mode. I guess if the AutoPreview mode
is not sufficient for your taste (i.e., you really need to see ALL of
the text version instead of just the first 3 or 4 lines) then the add-in
you mentioned is a good workaround.
I don't see that using AutoPreview mode or clicking between tabs for
your add-in as a significant time waste when reading e-mails but then
I'm not in a job where reading the most e-mails per minute is a measure
of my job efficiency.
Could you provide an example where using the Preview pane could incur an
intrusion or invasion by virus, script, or other HTML nasty (other than
web bugs)? I already know that none of the security zones will block
linked images and my older version of Outlook doesn't have the option to
block them until I choose to view them. Since the Restricted Sites
security zone is (or should be) used, which it is by default, and it
should be set to High, which it is by default, the HTML content become
static. No prompts for file downloads since file downloads is disabled.
No font downloads. No scripting, including Javascript. No Java (so no
local applets can run). No ActiveX downloads and any that already exist
locally cannot run. No server-side scripting to generate page content
because you aren't connected to their web server but instead rendering
the page content from the static copy in your local server (i.e., the
copy in Outlook's PST file). No metarefresh. No launching of programs
in frames. No subframes crossing domains (since, again, it is disabled
plus you aren't connected to their web server). Other than web bugs,
HTML e-mail seems pretty much neutered.
Know of any test sites where I can check the security of the Preview
pane? Yeah, I'll be Googling around to check but maybe you already know
of some.
Nicole
What can I say. Well, thank you all for your input and comments on this issue.
I will bring up your suggestions when I see my IT friends next time...that
should be fun ;)
Nicole