Prevent Infection By Malware That Exploits Outlook Express/Windows Mail Preview Pane Vulnerabilities By Disabling The Preview Pane

Version: Default* | Print Friendly With Images | Print Friendly Without Images

An email client is a program that allows users to compose, send, receive, and read email messages. Outlook Express (OLEXP) is the email client included with Windows 98, Windows ME, Windows 2000 Professional, and Windows XP. Windows Mail (WMAIL), the successor to Outlook Express, is the email client included with Windows Vista.

OLEXP/WMAIL organizes email messages into folders. The default OLEXP/WMAIL folders are listed under Local Folders and include an Inbox, Outbox, Sent Items, Deleted Items, and Drafts folder (OLEXP/WMAIL), and a Junk E-mail folder (WMAIL).

By default, when an OLEXP/WMAIL folder is opened, two panes appear; 1.) a top right pane that lists the folder's email messages, and 2.) a bottom right pane, known as the Preview Pane, that displays the email message selected in the top right pane. Also by default when an OLEXP/WMAIL folder is opened, the last email message listed in the top right pane is automatically selected and, therefore, displayed in the Preview Pane. The OLEXP 5.0, 5.5, 6.0, and WMAIL 6.0 Preview Panes are shown below:

1.1. The OLEXP 5.0 Preview Pane

OLEXP 5.0 Preview Pane: Windows 98SE

1.2. The OLEXP 5.5 Preview Pane

OLEXP 5.5 Preview Pane: Windows 2000 Professional Includes SP3

1.3. The OLEXP 6.0 Preview Pane

OLEXP 6.0 Preview Pane: Windows XP Home Edition Original Release

1.4. The WMAIL 6.0 Preview Pane

WMAIL Preview Pane: Windows Vista Ultimate Original Release

Email is frequently used to distribute malware, including, but not limited to, viruses, worms, and trojans. The most common method for distributing malware through email involves packaging the malware as an email attachment. For infection to occur, the attachment must be executed. In the vast majority of cases, execution of the attachment requires the user to interact with the attachment, for example, by double clicking the attachment or otherwise trying to open or run it. In a few cases, however, simply opening the email message, itself, can execute the attachment. Here, the email message, itself, contains specially crafted code that executes the attachment as soon as the email message is opened. One of the most infamous worms of all time, W32.Nimda.A@mm (symantec.com) (described by Symantec 18Sep01), is an example of malware packaged as an email attachment in which infection is triggered by simply opening the email message.

Opening an email message displays the email message's body/content in an email client for viewing. Executing an email attachment runs the email attachment or opens the email attachment in its associated program.

A less common method for distributing malware through email is attachment independent and involves packaging the malware into the email message, itself. For infection to occur, the email message simply needs to be opened. Two of the first examples of malware packaged into an email message in which infection is triggered by simply opening the email message included the VBS.BubbleBoy (symantec.com) worm (described by Symantec 09Nov99) and the Wscript.KakWorm (symantec.com) worm (described by Symantec 30Dec09).

By default, when an OLEXP/WMAIL folder is opened, the last email message listed in the folder is automatically selected and opened in the OLEXP/WMAIL Preview Pane. This behavior, intended as a convenience, is unfortunate for, if the last email message listed in an OLEXP/WMAIL folder harbors malware in which infection is triggered by simply opening the email message, then simply opening the OLEXP/WMAIL folder results in malware infection. Also by default, selecting any email message in the OLEXP/WMAIL top right pane automatically opens the email message in the Preview Pane. This behavior, also intended as a convenience, is also unfortunate for, if any email message listed anywhere in an OLEXP/WMAIL folder harbors malware in which infection is triggered by simply opening the email message, then simply selecting the email message, including to delete it, results in malware infection.

Fortunately, the default behavior of OLEXP/WMAIL, to automatically open email messages (in the Preview Pane), can be disabled by disabling the OLEXP/WMAIL Preview Pane. After the OLEXP/WMAIL Preview Pane is disabled, OLEXP/WMAIL folders can be opened, and email messages listed in the folders can be selected and deleted without the email messages being opened and triggering malware infection. This Web page describes how to prevent infection by malware that exploits OLEXP/WMAIL Preview Pane vulnerabilities by disabling the Preview Pane.

The mechanisms through which malware infection occurs by simply opening an email message take advantage of vulnerabilities in OLEXP/WMAIL, and/or Internet Explorer, and/or Windows. Microsoft resolves these so called Preview Pane vulnerabilities by releasing Security Updates that users can download and install from Windows/Microsoft Update. Running Windows/Microsoft Update protects users from threats exploiting known vulnerabilities that Microsoft has resolved, but does not protect users from threats exploiting newly discovered vulnerabilities that Microsoft has not had time to resolve. Therefore, even if you frequently run Windows/Microsoft Update, it is strongly recommended that you disable the OLEXP/WMAIL Preview Pane.
Disabling the OLEXP/WMAIL Preview Pane is one of many steps to secure OLEXP/WMAIL from email affiliated malware infection. Further discussion of securing OLEXP/WMAIL from email affiliated malware infection is beyond the scope of this page.