Attachment Insecurity Revealed in Outlook Express

By Neil J. Rubenking  |  Posted 2004-10-06 Print this article Print

Even if the user picks an option in Outlook Express 6 that says, "Do not allow attachments to be saved or opened that could potentially be a virus," using "forward" could still launch such attachments.

Outlook Express 6 includes a configuration setting awkwardly titled "Do not allow attachments to be saved or opened that could potentially be a virus." When this option is checked, OE blocks the user from opening a wide variety of attachment types that have the potential to execute some kind of code. Clicking the paperclip icon in preview mode shows the attachment names, but the menu options to save or open them are grayed out. When the message is opened, OE displays a banner stating, "OE removed access to the following unsafe attachments in your mail:."

Windows XP Professional administrators can lock down this setting using the Group Policy Editor, so it might seem a useful way to prevent children or employees from inadvertently releasing potential viruses.
But theres a gaping hole in the security provided by this setting. If the user clicks Forward, the attachment is displayed in the forwarded message, and a double click will launch it.

To read the full story at, click here.
Neil J. Rubenking Neil Rubenking served as vice president and president of the San Francisco PC User Group for three years when the IBM PC was brand new. He was present at the formation of the Association of Shareware Professionals, and served on its board of directors. In 1986, PC Magazine brought Neil on board to handle the torrent of Turbo Pascal tips submitted by readers. By 1990 he had become PC Magazine's technical editor, and a coast-to-coast telecommuter. His 'User to User' column supplied readers with tips and solutions on using DOS and Windows, his technical columns clarified fine points in programming and operating systems, and his utility articles (over forty of them) provided both useful programs and examples of programming in Pascal, Visual Basic, and Delphi. Mr. Rubenking has also written seven books on DOS, Windows, and Pascal/Delphi programming, including PC Magazine DOS Batch File Lab Notes and the popular Delphi Programming for Dummies. In his current position as a PC Magazine Lead Analyst he evaluates and reports on client-side operating systems and security solutions such as firewalls, anti-virus, anti-spyware, anti-spam and full security suites. He continues to answer questions for readers in the ongoing 'Solutions' column and in PC Magazine's discussion forums.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel