COMMAND

    Outlook

SYSTEMS AFFECTED

    MS Outlook

PROBLEM

    Bryce Walter found following.  When a message is sent from Outlook
    in RTF format,  Outlook attaches a  file named winmail.dat.   This
    file  is  used  for   transmitting  the  RTF-specific   formatting
    information.   If the  recipient opens  the email  in Outlook they
    will not see the  attachment.  Additionally, default  behaviour of
    Exchange Server 5.5 appears to strip the attachment from  messages
    going to recipients external to the orginization.

    In the situation of an Outlook user with a POP3/SMTP account (such
    as  their  ISP)  sending  a  message  to someone who uses an email
    client  other  than  Outlook  (a  Hotmail account for example) the
    recipient  will  see  winmail.dat  listed  as an attachment.  Upon
    opening winmail.dat with a text viewer you can clearly make out  a
    line  that  contains  the  full  path  to the .pst location on the
    sender's hard  drive.   Since this  is located  by default  in the
    users profile directory, you can see the sender's NT account  name
    as well as the domain name.

    The attachment of winmail.dat in Outlook RTF emails is  documented
    in MS KB articles.  They  detail how to prevent the attachment  of
    winmail.dat (configure the removal  at the Exchange Server  level,
    or don't use RTF formatting in your Outlook client).  However they
    do not document what is contained in winmail.dat.  Upon contacting
    secure@microsoft about this (4 months ago) Bryce was informed a KB
    article detailing the contents of winmail.dat would be forthcoming
    (not yet on their site).

    This behaviour  was seen  in Outlook  2000.   Previous versions of
    Outlook were not tested, but judging by the KB articles,  previous
    versions of Outlook  have the exact  same behaviour in  regards to
    winmail.dat as Outlook 2000.

    As a  side note  it would  be an  interesting excercise  to see if
    Outlook is susceptible to  a message with a  malformed winmail.dat
    attached.   One  could  theoretically  use  winmail.dat  to hit on
    holes  in  either  Outlook  itself,  or  the  Outlook  RTF  engine
    (Outlook does not use the same RTF engine as Wordpad).

    In addition, Outlook buries *all* of the message's attachments  in
    the WINMAIL.DAT file, thus rendering them unavailable to most mail
    clients, including some versions of Outlook.

SOLUTION

    Repeat after me: Outlook Rich Text Format Is The Devil's Spawn.