Information About "E-mail Wiretapping" Privacy Issue

Several recent news reports have discussed a potential privacy issue involving a particular type of e-mail, known as HTML e-mail. We'd like to provide some additional information on the subject. In particular, we'd like customers to know that if they are using the most recent version of Outlook, or if they've applied the previously-released Outlook Email Security Update, they are not affected by the issue. Other customers can easily configure their mail programs to prevent it.

The issue involves the ability to create an HTML e-mail that, each time it's read, could send back to the originator a copy of the mail's contents. This could potentially give the author of the e-mail an opportunity to see who the mail was subsequently forwarded to, and to see any forwarding comments that had been added to it. The Microsoft Security Response Center investigated this issue when it was reported to us, and we confirmed that it would indeed be possible to create such an HTML e-mail. However, as is often the case in privacy issues, the problem arises because a useful and properly-implemented technology - in this case, HTML e-mail - can be misused. Fortunately, it's easy to block this misuse.

HTML mail is a technology that, in essence, allows web pages to be sent as e-mail. Like a web page, an HTML e-mail can include dynamic functions like animation, voting buttons, forms, and so forth. Also like web pages, this functionality is sometimes effected via small programs called scripts. Just as the script in a web page executes each time it's opened in a browser, the script in an HTML e-mail executes each time it's opened in a mail client. This behavior is a property of the HTML e-mail technology, and operates the same way in a number of mail clients produced by different vendors, including Microsoft Outlook and Outlook Express.

With this as background, it's probably no surprise to learn that it's possible for an HTML e-mail to send copies of itself to the originator. The script can, of course, access the contents of the mail because it's part of the mail. Once it's done that, it can send the information back to the originator using the same commands that allow forms to be submitted to a web site. None of the commands used to do this are flawed in any way. The problem lies in the circumstances under which they're used.

The good news is that you could only be affected by this issue if scripts are allowed to run in your mail client, and it's easy to disable scripting. All web content, regardless of whether it's on a web page or in an e-mail, is processed within one of the security zones defined in Internet Explorer. Outlook and Outlook Express always open HTML e-mails in one of these zones, and by changing the zone that's used, you can regulate the actions HTML e-mails will be able to take when they're opened.

If you're using Outlook, you may already be protected against this issue. In particular, you cannot be affected by this issue if any of the following are true:

  • You're using Outlook 2000 Service Pack 2. The default configuration of Outlook 2000 SP2 opens HTML e-mail in a zone where scripting is disabled.

  • You've applied the Outlook Email Security Update. The Update reconfigures Outlook 98 or 2000 to open HTML e-mail in a zone where scripting is disabled.

  • You're using a version of Outlook prior to Outlook 98. These versions didn't support scripting in HTML e-mails under any conditions.

Microsoft encourages all customers who haven't already done so to download and install Outlook 2000 Service Pack 2 or the Outlook Email Security Update. In addition to preventing this issue, both options also provide enhanced protection against other classes of e-mail based attacks.

If you're using Outlook Express, or if you're using Outlook but aren't covered by any of the cases above, you can configure it to prevent scripts in HTML e-mails from running. You need to do two things:

  • Move mail into the Restricted Sites Zone. In Outlook Express, select Options from the Tools menu and select the Security tab. Select the radio button labeled "Restricted Sites zone", then click OK. If you're using Outlook, select Options from the Tools menu and select the Security tab. Select "Restricted Sites" in the pull-down box labeled "Zone", then click OK

  • Ensure that Active Scripting is disabled in the Restricted Sites Zone. Open Internet Explorer, then select Internet Options from the Tools menu and select the Security tab. Click on the Restricted Sites icon, then click on the Custom Level button. Scroll to the section labeled Scripting, then check the setting for Active Scripting and make sure that Disabled is selected. Click OK twice.

Additional information on configuring Outlook and Outlook Express is available in the online help for each product. For more information on using and customizing security zones, see Microsoft Knowledge Base article How to Use Security Zones in Internet Explorer (174360).