Attachment Insecurity Revealed in Outlook Express
Even if the user picks an option in Outlook Express 6 that says, "Do not allow attachments to be saved or opened that could potentially be a virus," using "forward" could still launch such attachments.Outlook Express 6 includes a configuration setting awkwardly titled "Do not allow attachments to be saved or opened that could potentially be a virus." When this option is checked, OE blocks the user from opening a wide variety of attachment types that have the potential to execute some kind of code. Clicking the paperclip icon in preview mode shows the attachment names, but the menu options to save or open them are grayed out. When the message is opened, OE displays a banner stating, "OE removed access to the following unsafe attachments in your mail:."
But theres a gaping hole in the security provided by this setting. If the user clicks Forward, the attachment is displayed in the forwarded message, and a double click will launch it.