Outlook Express
|
Microsoft Outlook Express is an email and news client bundled with operating systems and the Internet Explorer web browser by Microsoft, and also available as a no-charge download for the "classic" Apple Macintosh operating system (although not for the newer Mac OS X, where it has been replaced by Microsoft Entourage, which costs money as part of Microsoft Office).
Outlook and Outlook Express are distinct platforms which do not share common code, but do share a common architectural philosophy. The similar names lead many people to incorrectly conclude that Outlook Express is a "stripped" version of Outlook. Outlook Express is bundled with Internet Explorer, and may or may not be freely available if future versions are released. Microsoft state that "further enhancements to security" will require future versions of Internet Explorer (and thus Outlook) will be able to run only on a newly secured operating platform, Longhorn.
Windows 95 included Internet Mail and News, a simple precursor to Outlook Express. Internet Mail and News handled plain text email (not HTML mail), and had none of the security holes Outlook is known for. However, Microsoft did not provide it with a way to back up the address book — something that would later create a great deal of frustration among users.
With the fully-fledged Outlook Express product, Microsoft's vision for integrated web applications resulted in a semi-merger of the browser and the mail client, with full scripting support. However, this blurred the normal distinction between trusted application, a benign e-mail, and a remote webpage. Outlook's ability to execute JavaScript and display remote images were at the root of many of its later security and privacy issues.
In the "Welcome e-mail" for both Outlook and Outlook Express, Microsoft acknowledged that with new HTML e-mail, security was a risk, and described their plan for foiling the security risk. Outlook and Internet Explorer both featured security zones — a feature neither found in nor needed by competing products. The zones were Intranet, Internet, Trusted, and Restricted. Internet was for any site not in a zone. Trusted sites could do things without asking user's permission, and was clearly designed for administrators who wanted to allow updating without any confusion. AOL used it to add http://free.aol.com to ensure that users who wanted to download their online service client software didn't have to grant them permission via an ActiveX certificate dialog box whose well-warranted warning might scare away potential customers. That required an Internet Explorer hack that should not have been possible if Microsoft's zones had worked as intended. The security zones were supposed to be user-controlled.
But that was a relatively benign breach due to Microsoft's implemention of the plan. Another flaw was the fact that the "Restricted" security zone wasn't restrictive enough. A script could automatically open as an attachment. (Another mitigating factor was a bug in Outlook's attachment handling that allowed an executable to be appear to be a harmless attachment such as a graphics file.) This bug was later fixed so that only the last '.' represented the end of the filename and the beginning of the file extension — the correct behavior for the Windows filesystem. Opening or previewing an e-mail can cause code to run without the user's knowledge or consent. A host of viruses exploited this. See Outlook and Trustworthy Computing Intiative for more information on how Microsoft has responded.
Outlook Express has earned a reputation as the de facto standard email client because of its wide availability, and also as the de facto vector of worms and viruses. The Macintosh version, no longer under development, was less vulnerable.
As of late, Microsoft has talked of halting development on Outlook Express, but has not stopped support or use of the software with its Windows operating system. However patches for some known vulnerabilities may take some time to be released (see Secunia in "External links" below). This can be an important security concern.
See also
External links
- Outlook Express home page for Windows (http://www.microsoft.com/windows/oe/)
- Outlook Express home page for Macintosh (http://www.microsoft.com/mac/otherproducts/outlookexpress/outlookexpress.aspx?pid=outlookexpress)
- Secunia: compare the latest unpatched known flaws of Outlook Express with those of other email clients (http://secunia.com/product/102/)
- Backing up Outlook Express data (http://www.pcnineoneone.com/howto/oebackup1.html)de:Outlook Express