How to make Outlook Express safe on the Internet
Richard M. Smith
rms@computerbytesman.com
August 3, 1999
With the recent discoveries of significant security holes
in HP and Compaq computers and Office 97, I decided
to look into how to configure security settings in
Outlook Express to eliminate these vulnerabilities. Unfortunately
I found a series of problems with the current design of
Outlook Express that I think makes it is pretty difficult to protect
against incoming malicious Email messages of this sort. Worse yet,
Outlook Express claims that it can be configured to offer
increased security but my testing shows that these claims
are very misleading.
Getting security set right in an Email reader like Outlook
Express is very important because today most "malware" like
computer viruses and trojan horses are distributed via Email.
In Outlook Express, incoming Email messages are displayed by
Internet Explorer (IE). The use of IE allows both plain text and
HTML Email messages to be viewed in Outlook Express.
Security issues in Outlook Express are then handled by
Internet Explorer. Incoming messages can be viewed in one
of two "security zones". By default, messages are viewed
in the "Internet zone" which means that messages can contain
JavaScript code, ActiveX controls, and Java applets that
are automatically executed when a message is read. This
zone allows pretty much any browser security hole then to
be exploited from an HTML Email message.
There is a second security zone in Outlook Express called
the "Restricted sites zone" which turns off ActiveX and
Java support and therefore supposedly offers greater security.
This zone is selected using this simple procedure:
- Start Outlook Express
- Select the "Tools | Options..." menu command
- Click on the "Security" tab in the "Options" dialog box
- Select "Restricted sites zone (More secure)"
- Push the "OK" button
I made this change on my copy of Outlook Express and
then tested the change using a couple of demos I put
together of security holes in IE. Amazingly, both
demos continue to work even in the restricted sites zone!
I found this zone work no better at eliminating malicious
Email messages than the default Internet zone.
I did some more digging and here are the specific
problems that I found with the restricted sites zones:
- My first demo automatically runs Microsoft Word
inside of an Email message by downloading
a Word document in an <IFRAME> HTML tag.
According to the IE security settings for the
restricted sites zone, both "File download"
and "Launching programs and files in an IFRAME"
are disabled. However, I found on my system
that both settings are being ignored.
- By default, JavaScript is still turned on in the
restricted sites zone. My second demo still
worked then because it contains a small
amount of script code in the Email message
which opens a second window where the actual demo
code runs. The second window is used so that the
code still runs in the background even if the Email
message is closed. Unfortunately, Outlook
Express places this second Window in the
Internet zone where it can continue to use
things like questionable ActiveX controls and Java applets.
(Had my demo code run in the Email message itself,
then the restricted sites zone would have prevented
it from running.)
- When I went under Internet Options in the Windows
control panel and displayed the security settings
for the restricted sites zone, I found the
"slider switch" for the zone set to "High" and there was no
way to move the switch any higher. However, when I
clicked on the "Custom Level" button, I discovered
that JavaScript was still enabled. I disabled
scripting manually and at least my second demo
stopped working. I found the "high" setting on
slider switch very misleading given that scripting
was still on.
- Under the "Security Settings" dialog box for the restricted
sites zone, I also noticed that Java and scripting
of controls were still enabled. However, with
a bit of experimentation I found that both of these features are
actually turned off because ActiveX controls are turned
off. I wish that the user interface for this dialog more
accurately reflected how Internet Explorer actually
operates. (As a side note, it doesn't appear possible
to disable ActiveX support in Internet Explorer without
also disabling Java.)
After doing this testing it appears there are a number
of bugs that need to be fixed here. In particular
JavaScript needs to be turned off in the restricted
sites zone by default. It can still cause a lot of mischief.
In addition the problems with IFRAMEs needs to be
addressed also. Bottom line here is there needs to
be a simple way that anyone can setup Outlook Express
to never run mobile code in Email messages.
I did all by testing with version 5 of Outlook Express.
The same problems, I believe, also exist in version 4. The
standard version of Outlook may also have similar
problems, but I haven't tested it yet.
If you want to turn off JavaScript yourself in the
restricted sites zone, here are the steps:
- Go under the Windows "Start menu" and select the "Settings | Control Panel" command
- Double click on the "Internet Options" icon in the "Control Panel" window
- Click on the "Security" tab in the "Internet Properties" window
- Click on the "Restricted sites" icon in the Security pane
- Click on the "Custom Level..." button
- Scroll down to the entry for "Active Scripting" and click on the "Disable" option
- Push the "OK" button.
- Push the second "OK" button.
I also played a bit with how Outlook Express handles
attachments. I sent myself a simple test Email message
with a text file and Word .DOC file attached. Clicking
on the text file, I got a message from Outlook Express
warning that the file might contain a virus (Good Times
perhaps?). I decided to live dangerously, clicked "OK", and
the file opened up in Notepad. However, when I clicked
on the.DOC file, it opened up in Word with no security
warnings at all! Outlook certainly has interesting view
of the world where text files are "dangerous" and Word
files are "safe".
It didn't see anyway to configure Outlook Express to
always warn me about attachments. However, I understand that
Microsoft is working on some sort of patch for Office
so that Word and Excel files are no longer consider
safe by IE and the various Microsoft Email readers.
A similar patch is also available today from here:
http://ntbugtraq.ntadvice.com/office97fix.asp
This patch was put together by Jimmy Guse .
So if you want a safe version of Outlook Express
(ie, one that can't run mobile code in Email messages),
you'll need to:
- Switch Outlook Express to use to the restricted sites zone
- Turn off JavaScript in the restricted sites zone
- Apply Jimmy Guse's patch
Pretty obviously, this is a complicated procedure. As
a minimum, an Email reader should have one button to
push to stop all mobile code. Better yet this should be
the default setting in Email readers so that there are
no buttons to push.