Comments on: Outlook HTML is better broken and safe, than rich and dangerous

By: tim

tim — Thu, 25 Jun 2009 17:08:01 +0000

@Dan yes I thought that was what you meant; I don’t have any messages, that I’m aware of and value, where that is a problem.

Tim

By: Dan Hallock

Dan Hallock — Thu, 25 Jun 2009 17:01:19 +0000

Clarification: what I mean by broken archives is that existing e-mail messages which rendered properly in 2003, now render improperly in 2007 and will continue to render improperly in 2010.

Aside: I’m curious how Outlook Web Access handles the security implications of HTML e-mail. I know it blocks external content by default. Who knows, there might even be a time-tested pre-parser there that they could use in Outlook.

By: tim

tim — Thu, 25 Jun 2009 16:22:48 +0000

@Dan Hallock well spotted, but according to this Secunia search that is the only one:

http://secunia.com/advisories/product/13799/?task=advisories

Anyway, point taken. My views are coloured by the dreadful security problems with embedded IE in Outlook in OL 97, 98 and 2000 days. My email archive is fine, by the way.

Tim

By: John Dowdell

John Dowdell — Thu, 25 Jun 2009 15:42:11 +0000

Thanks for the voice of sanity, Tim… greatly appreciated.

I watched with horror ten years ago as marketers drove what was clearly unsafe. File formats routinely self-destruct when they attempt to duplicate other formats. RSS is another example… originally for short notifications, then there was pressure to make it a duplicate publishing format.

But it’s hard to push back against those who wish certain features they’ve seen in other formats. It colors my judgment of the WhatWG’s “HTML5″ proposals today.

jd/adobe

By: Dan Hallock

Dan Hallock — Thu, 25 Jun 2009 15:36:47 +0000

A silly argument and you know it. There’s no need to hand off an e-mail to Internet Explorer untouched; pre-parse it and strip ActiveX and JavaScript. Outlook 2007 broke people’s archives of existing mail and broke compatibility with other e-mail clients. It was a regression for users in every way from 2003.

Secunia Advisory SA30285 can be exploited through the Outlook Word renderer. There are probably others; that’s all I came up with in 90 seconds of looking.

By: tim

tim — Thu, 25 Jun 2009 08:22:47 +0000

@Scott

Thanks for the comment.

Are you aware of any security exploits for Word in Outlook (exploiting the viewer, not attachments)? Second, what do you think are the chances of Microsoft embedding Gecko or WebKit in Outlook?

Tim

By: Scott Willeke

Scott Willeke — Thu, 25 Jun 2009 08:14:12 +0000

First, the word rendering engine is broken in any case. Take standard HTML that Microsoft claims they welcome and it works in most major email clients except word (and Gmail).

Second, nobody is asking to make Outlook unsafe. If Internet Explorer isn’t safe to use as you imply, then Outlook shouldn’t use use it. Firefox/Gecko has an embeddable engine, so does WebKit/Safari that are widely used in email clients and are proven to be safe for years long before and after IE & Outlook were so widely exploited. BTW: As I recall Word had some well known security exploits to, so the implication that using word is safer doesn’t fly.

Third, standard HTML emails supported by other email clients do not allow “JavaScript, Flash and the like”. Nobody is suggesting that it be added to Outlook.

For me, we write software for business (not “email marketing” either) and our customers often want to be able to send emails with some basic text formatting and maybe some images inside the content to a large group of people who use various email clients. A reasonable request and one that for non-programmers would seem simple enough. However, due to incompatibility of Outlook – and Gmail- it is incredibly difficult to accomplish with reasonable HTML. By embracing Word as a renderer in Office (another thing that surely contributes to Outlooks notoriously poor performance) Microsoft is only exacerbating the problem.