Windows Messenger uses similar logic and identical dialogs for handling file attachments. The one major difference is that email attachments are normally downloaded without any intervention by the user, while instant messaging attachments normally require the recipient's permission before they can be sent.
HTML content blocking in Outlook Express
One technique that spammers and viruses use to target active email users is to include external content, such as images, in HTML email. When the email calls out to the Web site that hosts the image, the "hit" can be recorded by the Web server and used to identify the recipient.
To preserve the user's privacy and prevent future attacks, Outlook Express now blocks external images and other external content in HTML mode. This option can be globally disabled by the user, and when the option is active the user can load the blocked external content for an email message with one mouse click.
As we will see, running binary behaviors, which use a specialized kind of COM interface that is a feature of Internet Explorer, has been disabled in the Restricted Sites zone by default. Outlook Express runs its HTML email using the rules of the Restricted Sites zone by default, although that can be configured by the user.
However, Outlook Express has now restricted binary behaviors. There is no legitimate reason for an email to use binary behaviors, so from Service Pack 2 onwards Outlook Express will never allow them.
As an additional safety measure, when the user sets Outlook Express to read all messages in plain text, Outlook Express uses the less complicated rich edit control instead of the more complicated HTML browser control (mshtml) from Internet Explorer. This choice presents no disadvantages to the end user, while offering a reduced surface to attackers. There are also another dozen areas in Outlook Express where tightened security has been obtained without affecting users.
|