|
Information About "E-mail Wiretapping" Privacy Issue
Several recent news reports have discussed a
potential privacy issue involving a particular type of e-mail, known as
HTML e-mail. We'd like to provide some additional information on the
subject. In particular, we'd like customers to know that if they are using
the most recent version of Outlook, or if they've applied the
previously-released Outlook Email
Security Update, they are not affected by
the issue. Other customers can easily configure their mail programs to
prevent it.www.tartoos.com
The issue involves the ability to create an HTML e-mail that, each time
it's read, could send back to the originator a copy of the mail's
contents. This could potentially give the author of the e-mail an
opportunity to see who the mail was subsequently forwarded to, and to see
any forwarding comments that had been added to it. The Microsoft Security
Response Center investigated this issue when it was reported to us, and we
confirmed that it would indeed be possible to create such an HTML e-mail.
However, as is often the case in privacy issues, the problem arises
because a useful and properly-implemented technology - in this case, HTML
e-mail - can be misused. Fortunately, it's easy to block this misuse.wwww.tartoos.com
HTML mail is a technology that, in essence, allows web pages to be sent as
e-mail. Like a web page, an HTML e-mail can include dynamic functions like
animation, voting buttons, forms, and so forth. Also like web pages, this
functionality is sometimes effected via small programs called scripts.
Just as the script in a web page executes each time it's opened in a
browser, the script in an HTML e-mail executes each time it's opened in a
mail client. This behavior is a property of the HTML e-mail technology,
and operates the same way in a number of mail clients produced by
different vendors, including Microsoft Outlook and Outlook Expresswww.tartoos.com
With this as background, it's probably no surprise to learn that it's
possible for an HTML e-mail to send copies of itself to the originator.
The script can, of course, access the contents of the mail because it's
part of the mail. Once it's done that, it can send the information back to
the originator using the same commands that allow forms to be submitted to
a web site. None of the commands used to do this are flawed in any way.
The problem lies in the circumstances under which they're used.www.tartoos.com
The good news is that you could only be affected by
this issue if scripts are allowed to run in your mail client, and it's
easy to disable scripting. All web content, regardless of whether it's on
a web page or in an e-mail, is processed within one of the
security zones
defined in Internet Explorer. Outlook and Outlook Express always open HTML
e-mails in one of these zones, and by changing the zone that's used, you
can regulate the actions HTML e-mails will be able to take when they're
opened.www.tartoos.com
If you're using Outlook, you may already be protected against this issue.
In particular, you cannot be affected by this issue if any of the
following are true:
- You're using
Outlook 2000 Service Pack 2.
The default configuration of Outlook 2000 SP2 opens HTML e-mail in a zone
where scripting is disabled.
- You've applied the
Outlook Email Security Update.
The Update reconfigures Outlook 98 or 2000 to open HTML e-mail in a zone
where scripting is disabled.www.tartoos.com
- You're using a version of Outlook prior to Outlook 98. These versions
didn't support scripting in HTML e-mails under any conditions.
Microsoft encourages all customers who haven't
already done so to download and install
Outlook 2000 Service Pack 2
or the Outlook Email Security
Update. In addition to preventing this
issue, both options also provide enhanced protection against other classes
of e-mail based attacks.
If you're using Outlook Express, or if you're using Outlook but aren't
covered by any of the cases above, you can configure it to prevent scripts
in HTML e-mails from running. You need to do two things:
- Move mail into the Restricted Sites Zone. In Outlook Express, select
Options from the Tools menu and select the Security tab. Select the radio
button labeled "Restricted Sites zone", then click OK. If you're using
Outlook, select Options from the Tools menu and select the Security tab.
Select "Restricted Sites" in the pull-down box labeled "Zone", then click
OKwww.tartoos.com
- Ensure that Active Scripting is disabled in the Restricted Sites Zone.
Open Internet Explorer, then select Internet Options from the Tools menu
and select the Security tab. Click on the Restricted Sites icon, then
click on the Custom Level button. Scroll to the section labeled Scripting,
then check the setting for Active Scripting and make sure that Disabled is
selected. Click OK twice.
Additional information on configuring Outlook and
Outlook Express is available in the online help for each product. For more
information on using and customizing security zones, see Microsoft
Knowledge Base article How to Use
Security Zones in Internet Explorer (174360).
|
