Title

Disable the feature that uses Unicode when dragging eMail message to file system - Outlook. (Cat II impact)

Discussion

By default, when users drag e-mail messages from Outlook 2007 to a Windows Explorer window or to their Desktop, Outlook creates a .msg file using the native character encoding format for the configured locale (the so-called "ANSI" format). If this setting is Enabled, Outlook uses the Unicode character encoding standard to create the message file, which preserves special characters in the message. However, Unicode text is vulnerable to homograph attacks, in which characters are replaced by different but similar-looking characters. For example, the Cyrillic letter ? (U+0430) appears identical to the Latin letter a (U+0061) in many typefaces, but is actually a different character. Homographs can be used in "phishing" attacks to convince victims to visit fraudulent Web sites and enter sensitive information.

Check Content

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Outlook 2007 -> Tools \ Options -> Other -> Advanced “Use Unicode format when dragging e-mail message to file” will be set to “Disabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Outlook\Options\General Criteria: If the value MSGFormat is REG_DWORD = 0, this is not a finding.

Fix Text

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Outlook 2007 -> Tools \ Options -> Other -> Advanced “Use Unicode format when dragging e-mail message to file” will be set to “Disabled”.

Additional Identifiers

Rule ID: SV-19050r1_rule

Vulnerability ID: V-17812

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.