Posted on by Vulnerability Analysisin
Reading email messages in plain text seems like a reasonable thing to do to improve the security of your email client. Plain text takes less processing than HTML, which should help minimize your attack surface, right? As it turns out, Outlook Express (and its derivatives) is doing more than you think when it is configured with the "Read all messages in plain text" option enabled.
Outlook Express is an email client that is provided with various versions of Microsoft Windows, starting with Windows 98. In Windows Vista, the client was renamed Windows Mail. Windows 7 does not come with an email client, but a newer version of Windows Mail called Windows Live Mail is available for download. Despite the different names, all three products are essentially different versions of the same software. In this blog entry, the term "Outlook Express" refers to all three versions.
It is reasonable to guess that the "Read all messages in plain text" option means that Outlook Express displays only the plain text MIME part of an email message. Or perhaps it just strips out the HTML tags from the message. However, both these guesses are wrong. Outlook Express is doing much more than this.
When Outlook Express receives an HTML email message, it determines the handler for the "text/html" MIME type. Outlook Express then uses the Internet Explorer rendering engine (MSHTML) to process the message. If the "Read all messages in plain text" option is specified, then the content is reduced to a plain text form. The important concept here is that the Internet Explorer rendering engine is used to process HTML email messages, regardless of the plain text setting.
In fact, ironically, setting the option to read messages in plain text can put the system at increased risk! While investigating attack vectors for the Windows animated cursor stack buffer overflow vulnerability (VU#191609), I noticed that when the "Read all messages in plain text" option was enabled, Outlook Express could be compromised just by displaying an email message in the preview pane. The default configuration of displaying messages in HTML format was not vulnerable via the preview pane. The HTML email referenced an ANI file on a remote server, and even though it was configured to display messages in plain text, Outlook Express retrieved the remote ANI file and processed it. Microsoft was notified of this behavior, and they updated their security bulletin with the text: "Note Reading e-mail in plain text on Outlook Express does not mitigate attempts to exploit this vulnerability." The behavior of Outlook Express does not appear to have changed since then.
Consider the recent Windows 7 / Server 2008 R2 denial-of-service vulnerability. This vulnerability can cause a Windows 7 or Server 2008 R2 system to hang upon attempting to create an SMB connection to a malicious server. Similar to the ANI bug, if Windows Live Mail is configured to display messages in plain text, the vulnerability can be triggered by simply receiving a malicious email and displaying it in the preview pane. The default configuration of displaying messages in HTML format is not as vulnerable because it appears to require additional user interaction, such as clicking the "Show images" link or forwarding or replying to the message.
If you are using an email client based on Outlook Express (including Windows Mail and Windows Live Mail), avoid using the "Read all messages in plain text" option. While it is possible that the setting could protect against some vulnerabilities, I have investigated several scenarios where it puts the user at increased risk. Note that Microsoft Outlook does not appear to be affected by this problem. In Outlook, the option to read messages in plain text does appear to offer increased protection against vulnerabilities.