> -----Original Message----- > From: Jeff Uslan [mailto:jeff_uslan@speakeasy.net] > Sent: Friday, March 26, 2004 10:49 AM > To: jeff_uslan@speakeasy.net > Subject: MS Outlook/Outlook Express Preview Pane Security Issue > > > FYI > > > Just a reminder that if you are using anything but Outlook > 2003. The HTML > injection issues and other such exploits with just viewing > the preview pane > have mostly been taken care of in the older versions but > issues are still > popping up. 'HTML injection issues and "other such exploits" with "justing viewing" the email have been cropping up in older versions'... this does not mean they will not happen in Outlook 2003. There should definitely be some such bugs in Outlook 2003. There is a lot of ground to cover where these situations could happen. (ie, numerous message types, numerous automated functions -- just a lot of code... and a past history... which gives us some probabilistic guess about potential vulnerability.) Outlook 2003 does provide numerous security enhancements, some which are rather well hidden from users and a very nice Junk E Mail filter. Kudos to them. [Though, they still have not figured out the simple task of doing HTML email right. Or message threading. Another good indicator there may be security bugs -- presence of poor or sloppy design issues or non-security bugs.] Outlook 2003 is not free, so expect it to be looked at later rather then sooner by the larger body of security researchers.
