Outlook Express

Viewing 0 reply threads
  • Author
    • #2213

      Applies To:Windows Server 2003 with SP1
      What new functionality is added to this feature in Windows Server 2003 Service Pack 1?
      Plain text mode
      Detailed description
      The plain text modefeature of Outlook Express provides users with the option to render incoming mail messages in plain text
      instead of Hypertext Markup Language(HTML).When Outlook Express is running in plain text mode, therich edit control is
      used instead of the MSHTML control. You avoid somesecurity issues that result from the use of MSHTML by using therich edit
      Why is this change important?
      The use of therich edit control provides an additional barrier to malicious codethat is transmitted using e-mail. Computers
      running earlier versions of Windows XP had a vulnerability to malicious code because Outlook Express processes HTML header
      scripts in the HTML content.The MSHTML control automatically executes thesescripts.Therich edit control does notexecute
      HTML scripts, so this is mitigated. Because plain texte-mail does not require HTML header processing to be displayed properly,
      thereis usually littlevisible differencefrom this processing changein standard messageformats. Portions of e-mail messages
      that do notappear to render correctly arerelying on HTML rendering and could presenta danger to your system.
      What works differently?
      Thefollowing Outlook Express features are notavailable when running in plain text mode:
      Changing text sizeto a larger or smaller font.
      Full text searching through the body of a mail message.
      You can configure plain text modein several ways, including:
      Reading a message.
      In Outlook Express, on the Tools menu,click Options,and then click the Read tab.Select the Read all messages in
      plain text check box.
      Composing a message.
      In Outlook Express, on the Tools menu,click Options,and then click the Send tab. Under Mail Sending Format, select
      the Plain Text option.
      With a new menu option.
      On the View menu,click Message in HTML.
      This new menu item switches thecurrent messageview to HTML if it is currently in plain textview, both in the preview
      display as well as in thefull message display.
      How do I resolve these issues?
      If you aresurethat thesource of an e-mail messagecan betrusted and you want to usethefull featureset that is provided
      with the MSHTML control to support rich HTML e-mail for reading or composing,you can switch to the HTML mode by using
      the View menu option procedureas described abovein “With a new menu option.”
      Limit external HTML content downloads
      Detailed description
      This Outlook Express feature helps users to avoid getting repeated spam mailings by preventing the user from unknowingly
      validating his or her e-mail address to spam originators. Businesses that usespam as a marketing techniquetypically include
      references to images that reside on their Web servers insidethee-mail message.Some of thesespam e-mail messages contain
      single pixel images thatare notvisibleto therecipient of thee-mail so that therecipient will not beawarethat thereis any
      content that is malicious.When the user opened an e-mail that contains theimage, previous versions of Outlook Express
      automatically contacted the Web server to download and display theimages.When therequest for theimage was madeto the
      Web server, it could ascertain thata spam e-mail message was received by an activee-mail account, which validated thee-mail
      address in thespam originator’s mailing list. Now, when the Block images and other external content in HTML e-mail
      setting is enabled, the default behavior of Outlook Express changes so that it does not contact the Web server to download
      external content, which helps prevent theverification of thee-mail address with thespam originator.This download behavior
      is configurableand is enabled by default when you install Windows Server 2003 Service Pack 1.
      This featurealso helps to minimizea common problem that is experienced by people whosecomputers use dial-up network
      connections. Prior to implementing this feature, if users downloaded mail messages and then disconnected their network
      connection, when they attempted to view an HTML messages that included pictures or other external Internet content, their
      modem would automatically start to dial out to download theexternal content.
      Why is this change important?
      This featureincreases the privacy that is provided to users of Outlook Express.Their e-mail address is notautomatically
      validated by the Web server of spam originators without their knowledge when a spam e-mail messageis opened. Using this
      feature may result in thefollowing advantages:
      The user receives less spam.
      The user is less distracted by thereceipt of spam.
      Automaticattempts by a user’s modem to reconnect to theInternetafter receiving HTML e-mail decrease.
      What works differently?
      Implementing this featurein Outlook Express helps prevent therendering of pictures in HTML e-mail if the pictures must be
      retrieved from servers thatarein either theInternet or Restricted Web content zones.This new default behavior results in the
      user’s name not being validated by the Web site hosting the pictures, which makes the user’s e-mail nameless useful to spam
      senders.This may result in the user getting less spam over time.
      To communicatethat these pictures are missing, thereis now an External MessageInformation Bar that is displayed in both the
      Outlook Express message window as well as in the preview area.This External MessageInformation Bar appears whenever the
      messagecontains references to external Internet content, such as images or scriptand the options areset to render the
      messagein HTML.
      When Outlook Express blocks content, theactual imageis replaced with thestandard placeholder for the blocked imagein the
      text of the mail message. Images arethe only blocked items that providea visual cuethat something is not being displayed.
      For sounds, IFrames,and other content, thereis no visual indication in the body of the mail message.When users printan
      HTML e-mail that has blocked content, Outlook Express prints thee-mail exactly as itappears on thescreen, with a placeholder
      for the blocked images.Theexternal content is not downloaded.
      An added benefit of this featureis that it minimizes a common dial-up user problem: undesired automatic dial-up network
      connection attempts.When viewing an HTML e-mail message off-line, previous versions of Outlook Express would
      automatically dial out to connect to theInternetand retrieveany referenceimages. However, becausealmostall external HTML
      references in e-mail messages point to resources on theInternet thatare part of theInternet zone, thecontent is not displayed
      by defaultand a dial-up network connection is not requested.
      How do I resolve these issues?
      To turn off all external content blocking, on the Tools menu, point to Options,and then click Security. Clear the Block
      images and other external content in HTML e-mail check box.From that point, no content is blocked, which returns
      Outlook Express to the prior behavior of automatically downloading external content.
      To explicitly download external content for an e-mail message,click theExternal MessageInformation Bar to download the
      external content that was included with the message.
      Attachment Manager API integration
      Outlook Express now integrates a new set of application programming interfaces (APIs),called the Attachment Manager, to
      check e-mail attachments.This allows applications to eliminatecustom codethat performs similar safety checks and instead
      rely on this centrally-managed API set.The use of Attachment Manager provides a consistent user experienceacross all
      applications that check thesecurity of an attachment.
      Why is this change important?
      It is important to havea more unified approach for attachment security across all Windows applications.This helps to ensure
      that users geta consistentexperience with regard to thesecurity check performed on attachments.
      What works differently?
      Apart from theconsistent user experience, this feature does not provideany visiblechangeto the user.
      Do I need to change my code to work with Windows Server 2003 Service Pack 1?
      Thereareseveral differences in functionality thata developer should beaware of.
      When API names are provided, they arethe Attachment Manager API. If the Do not allow attachments to be saved or
      opened that could potentially be a virus setting is disabled, Outlook Express calls SetReferer() and passes http://URL as a
      parameter.This is doneso that thesubsequent call to CheckPolicy() considers Outlook Express to bein theInternet Web
      content zone. Attachment Manager discriminates differently, depending on whether thecaller is in thecontext of theInternet
      or Restricted security zones.Thefollowing sections provide overviews of different behaviors that the Attachment Manager API
      Behavior when previewing a message that includes an attachment
      Beforethe preview area is rendered, CheckPolicy() is called to determinethestate of the menu options associated with the
      attachment icon in the preview area header,and thecorresponding actions as follows:
      If CheckPolicy() returns E_Fail (dangerous attachment), S_OK, or S_False (safeattachment), thereis no changeto the
      previous functionality of Outlook Express.
      Opening theattachment saves thefileas a temporary fileand then calls Execute() to executethefileinstead of the
      currently used ShellExecute() call.
      If Execute() fails, subsequent user actions are handled by Attachment Manager.
      When the Save Attachments dialog box is opened, thelist of attachments contains items thatareenabled in the menu.
      Blocked attachments do notappear in the Save Attachments dialog box.When the user selects the destination folder
      and clicks Save, Outlook Express saves thefiles to thespecified folder and then calls Save() on each of thesaved files.
      In thecase of previewing mail with multipleattachments, CheckPolicy() is called on each of theattachments. Depending on
      whether thereturn valueis E_Fail, or S_OK, or S_False, Outlook Express either disables or enables theattachment namein the
      In futureimplementations, Save() could fail if CheckPolicy() does not return S_OK. In this case, Outlook Express will display
      theerror message”Thefollowing attachments were not saved becausethey could not beverified as being safe”, followed by a
      list of failed files.
      Behavior when reading a message that includes an attachment
      Beforethe Outlook Express message window is rendered, CheckPolicy() is called for every attachment to determine which
      attachments areshown and which are blocked from access to the user.
      If CheckPolicy() returns E_Fail (dangerous attachment), S_OK or S_False (safeattachment), Outlook Express behaves
      justas it did in the past. Double-clicking theattachments thatare displayed in the Attach area of the message window
      follows theexact samesteps as described when executing attachments from the preview area.
      When the user clicks Save As, selects the destination folder and file name,and then clicks Save, Outlook Express saves
      theattachment in thespecified folder and then calls Save() to sync.
      Selecting Print is similar to running theattachment,except that, instead of calling Execute() withoutany parameters,
      Outlook Express issues a call to Execute(“print”). All other tasks, such as saving thefileto a temporary fileremain the
      sameas when executing theattachment.
      If the Do not allow attachments to be saved or opened that could potentially be a virus setting is disabled,
      Outlook Express calls SetReferer() and passes http://URL as a parameter.Thesubsequent call to CheckPolicy() then
      considers Outlook Express to bein theInternet Web content zone.
      Behavior when moving a message that includes an attachment
      If the user moves an item to a location outside Outlook Express — for example, dragging a messagecontaining an attachment
      to the desktop — Outlook Express performs theseactions:
      Generates a temporary file with HDROP.
      Saves a temporary file
      Calls Save() on thetemporary file
      If it is successful, HDROP is madeavailable
      If it fails, HDROP is not madeavailableand the drop target is disabled.

Viewing 0 reply threads
  • You must be logged in to reply to this topic.