New Security Holes in Outlook | Internet News
Developer
SHARE
Facebook X Pinterest WhatsApp

New Security Holes in Outlook

Written By
Beth Cox
Beth Cox
Mar 22, 2002
2 minute read

Online privacy and security guru Richard Smith, who operates the Computer Bytes Man site, has
issued a warning about potential security problems in Microsoft Outlook 2002.
One of the most serious involves Windows Media Player (WMP).


In an e-mail to SecurityFocus Corp.’s Bugtraq
database administrators, Smith said that WMP “reintroduces the ability to
automatically execute JavaScript code from an HTML e-mail message in Outlook
2002.”


Bugtraq is an interactive list of vulnerabilities developed to help the
security community identify and fix them.


Smith is the author of a recent detailed report on what he called
“serious privacy problems” with Windows Media Player for Windows XP that
lets Microsoft track what DVD movies consumers are watching. Microsoft has
said its DVD privacy policy has been amended.


The other Outlook 2002 problems, according to Smith, are that in an HTML
e-mail message, JavaScript code can still be executed in spite of the fact
that scripting is turned off by default in Outlook. The trick is to embed the
JavaScript code in either an “about:” or “javascript:” URL that is used as an
HTML tag.


A third problem is that cookies can be set and read in HTML e-mail messages
in spite of the fact that the default security settings in Outlook 2002 claim
that cookies are turned off. This is a privacy leak problem and not a
security hole, he said. The fourth problem involves gratuitous warnings about
links sent in e-mail messages.


Ironically, Microsoft is making security in its products
a top priority — in January, Chairman Bill Gates emphasized that to
employees in a memo. Last month the company
turned to an outside security expert to help implement that goal.


Smith said in his message that JavaScript is disabled by default in Outlook
2002, because it can facilitate the creation of worms and other malicious
code which (can be) carried by HTML e-mail messages. Using a number of simple
tricks, “WMP can be used to bypass the Outlook security settings and still
automatically execute JavaScript, Java, and ActiveX code in an HTML
e-mail message.”


“This problem is more of an example of poor security policies in Outlook and
WMP and is not really a security hole in the classic sense,” he wrote, adding
that Outlook Express and earlier versions of Outlook likely have the same
security problem even with all security
protections set to the maximum. There was no immediate response from
Microsoft.
Beth Cox
Internet News Logo

InternetNews is a source of industry news and intelligence for IT professionals from all branches of the technology world. InternetNews focuses on helping professionals grow their knowledge base and authority in their field with the top news and trends in Software, IT Management, Networking & Communications, and Small Business.

facebook
x

Company

Contact us Advertise with us

Categories

News Enterprise Small Business Reviews Podcasts Blog Research

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

Terms of Service Privacy Policy California - Do Not Sell My Information