Outlook 2007 Security and Privacy

Let's start with programmatic access and those intrusive security prompts that users see when external applications try to automate Outlook. By default, those won't appear in Outlook 2007 if the user is running an up-to-date antivirus application on Windows Vista or Windows XP. That's a big gain for corporations with older, inhouse applications that would be expensive to rewrite to use Outlook automation techniques that avoid security prompts. Furthermore, the programmatic access settings that formerly worked only in the Outlook Security Settings public folder can be managed in Outlook 2007 through a Group Policy Object (GPO), so they can apply even in organizations that don't use Exchange Server for mail.

Another security setting that might affect existing custom applications is that Outlook 2007, by default, doesn't display folder home pages for folders other than the user's default information store and the Public Folders hierarchy. A folder home page is a Web page associated with a folder. Like any Web page, it can run code, but because it's running inside Outlook, it isn't blocked from performing Outlook automation as an external Web site page opened in Microsoft Internet Explorer would be. If a folder home page in another folder is essential to an organization, an administrator can change this behavior by using a GPO. After adding the Outlk12.adm administrative template (see URL below for the template download), go to User Configuration, Administrative Templates, Microsoft Office Outlook 2007, Tools | Options..., Other, Advanced and look for a setting named Do not allow folders in non-default stores to be set as folder home pages.

Outlook 2007 includes improved protection against spam and phishing, plus a more prominent warning on suspected phishing messages. Recognizing that users often need to send legitimate messages that might look like spam to some email clients, Microsoft has added a new Email Postmark feature to Outlook. When the user sends a message with spamlike characteristics, Outlook solves a computationally costly puzzle, hashes the solution, and puts information about the puzzle and solution into two fields in the message's SMTP header. The recipient of the message sees nothing special about the message, but if the receiving mail client is Outlook 2007, it can use the contents of those fields to determine that the message is valid and not junk. The sender won't notice the slight delay on an individual message, but Microsoft contends that the computational cost of the Email Postmark feature makes it impractical for spammers to take advantage of it.

Outlook 2007 plugs a number of potential privacy leaks that were present in earlier versions. Like Outlook 2003, the new version blocks images and other external content in HTML messages that could be used with so-called Web bugs to reveal information about the user. But it expands this feature to give the user a new option to block external content not just on reading a message but also during reply, forward, and print operations.

In earlier versions, a user could add a vCard .vcf file to any Outlook email signature, but it was all too easy for Exchange users to unwittingly include in that vCard personal information stored in the Global Address List (GAL). Outlook 2007 eliminates that possibility. The only type of vCard .vcf file that can be included with a signature is one created with the new Electronic Business Card feature. To create an Electronic Business Card, the user must specify exactly what information to include. Therefore, there's no risk of information leaking out from the GAL.

Another area where privacy is tightened is around free/busy information. This might be the ultimate feature for secretive bosses! In earlier versions of Outlook, users either saw free/busy information for other users or, if they had Reviewer access to other users' Calendar folders, the details of appointments in the other users' calendars. The only way to block a person from seeing any free/busy information for a user was to stop publishing free/busy information for that user completely. When used with Exchange 2007, Outlook 2007 expands the free/busy permission options to offer new options for "None" and "Free/Busy time, subject, and location." Thus, the secretive boss could set four different levels of free/busy access for four different sets of people in the organization: no access as the default; full details (i.e., Reviewer access) for the boss's assistant; for peers, free/busy time, subject, and location; and for direct reports, free/busy time only.

A good way to get to know some of the new settings in Outlook 2007 is to download the administrative template .adm files for B2TR and add them to Group Policy Editor (GPE) so that you can then browse through the available options. One welcome change in the Outlk12.adm file is the addition of explanatory text for most policy settings.

Administrators have long asked for an option to completely disable the Outlook reading pane (even though it hasn't been a source of vulnerability for years). Outlook 2007 has this option, although it's a little hard to find in GPE. After you add the Outlk12.adm administrative template, look under User Configuration, Administrative Templates, Microsoft Office Outlook 2007, Tools | Options..., Other for an option named Do not display the reading pane.

One final security note: What about the Vector Markup Language vulnerability reported last week by Sunbelt Software (see http://www.windowsitpro.com/Article/ArticleID/93584/93584.html)? According to Sunbelt, Outlook 2007 B2TR is not vulnerable to this exploit.

Office 2007 Beta 2
http://www.microsoft.com/office/preview/

2007 Microsoft Office system Beta 2 Technical Refresh
http://www.microsoft.com/downloads/details.aspx?FamilyID=b07a3387-01cf-4bc3-821a-0bb10e7a59fa

2007 Office System Beta 2 Technical Refresh Administrative Templates (ADM)
http://www.microsoft.com/downloads/details.aspx?FamilyID=92d8519a-e143-4aee-8f7a-e4bbaeba13e7

End of Article