COMMAND

    Outlook

SYSTEMS AFFECTED

    Those using MS Outlook Express

PROBLEM

    '1nternal' posted following.  Outlook Express uses HTML to display
    ceratin information in  the 'outlook today'  type part of  outlook
    express, ie, the  number of unread  messages in your  inbox etc...
    Because  it  is  considered  to  be  in  the 'internet zone', this
    information needs to be safely scriptable, thus it can be accessed
    by any site in  this zone.  This  allows for a possible  (although
    admittedly  minor)  privacy  and  possibly  security problem.  The
    'problem'  lies   in  the   'OutlookExpress.MessageList'   ActiveX
    control,  which  is  marked  safe  for  scripting,  it  allows for
    counting  the  number  of  messages  in  any folder within outlook
    express, as well  as the number  of unread items  and a few  other
    things, s uch  as setting options,  however, the options  are only
    set for  that instance  only and  are not  saved.   An example  of
    viewing the number of messages in a folder, as well as  previewing
    the  message  (creating  the  file  'C:\oe_prev$.eml'  without the
    users permission).  It should  be noted that this preview  message
    is not accessible remotely(without an exploit).

        <script language="VBSCRIPT"><!--

        set MsgList = CreateObject("OutlookExpress.MessageList")
        MsgList.Folder = 6
        msgbox(MsgList.Count)
        location.href = MsgList.PreviewMessage

        --></script>

    Obviously,  this  could  also  be  done  in JavaScript, however it
    would still require activeX support and OE5.

SOLUTION

    Nothing yet, but I don't expect any as it is minor thing.