An error occurred:

Check: DTOO275 - Outlook

Microsoft Outlook 2007: DTOO275 - Outlook (in versions v4 r16 through v4 r15)

Title

Configure the "include Intranet" with Safe Zones for automatic picture downloads. (Cat II impact)

Discussion

Malicious e-mail senders can send HTML e-mail messages with embedded Web beacons, which are pictures and other content from external servers that can be used to track whether recipients open the messages. Viewing e-mail messages with Web beacons in them provides confirmation that the recipient's e-mail address is valid, which leaves the recipient vulnerable to additional spam and harmful e-mail. By default, Outlook 2007 does not download external content in HTML e-mail messages from untrusted senders over the local intranet. If this configuration is changed, Outlook will display external content in all HTML e-mail messages received via the local intranet, which could include Web beacons.

Check Content

The intent of this requirement (DTOO275) is to prevent content from the Intranet from being automatically downloaded. This requirement (DTOO275) is coupled with DTOO272 which dictates whether content from Safe Zones is automatically downloaded or not. Since DTOO272 allows for content from Safe Zones to be automatically downloaded, this requirement (DTOO275) prevents the Intranet from being considered as a Safe Zone. Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office Outlook 2007 >> Security >> Automatic Picture Download Settings “Include Intranet in Safe Zones for Automatic Picture Download” is set to “Disabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail Criteria: If the value Intranet is REG_DWORD = 0, this is not a finding.

Fix Text

The policy value for User Configuration >> Administrative Templates >> Microsoft Office Outlook 2007 >> Security >> Automatic Picture Download Settings “Include Intranet in Safe Zones for Automatic Picture Download” will be set to “Disabled”.

Additional Identifiers

Rule ID: SV-18779r4_rule

Vulnerability ID: V-17634

Group Title:

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
No CCIs are assigned to this check

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
No controls are assigned to this check