An error occurred:

Check: DTOO271 - Outlook

Microsoft Outlook 2007: DTOO271 - Outlook (in versions v4 r16 through v4 r15)

Title

Disable automatic download content for email from people in Safe Senders and Safe reciipeint lists. (Cat II impact)

Discussion

Malicious e-mail senders can send HTML e-mail messages with embedded Web beacons, or pictures and other content from external servers that can be used to track whether specific recipients have opened a message. Viewing an e-mail message that contains a Web beacon provides confirmation that the recipient's e-mail address is valid, which leaves the recipient vulnerable to additional spam and harmful e-mail. To help protect users from Web beacons, Outlook 2007 can be configured to automatically block the display of external content in e-mail messages. However, because this configuration could block desirable content from display, Outlook can also be configured to automatically display external content in any messages sent by people who are listed in users' Safe Senders Lists or Safe Recipients Lists. By default, Outlook 2007 automatically displays external content in e-mail messages from people listed in users' Safe Senders Lists or Safe Recipients Lists, and automatically blocks external content in other messages. If a malicious sender is accidentally added to a user's Safe Senders List or Safe Recipients List, Outlook will display external content in all e-mail messages from the malicious sender, which could include Web beacons.

Check Content

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Outlook 2007 -> Security -> Automatic Picture Download Settings “Automatically download content for e-mail from people in Safe Senders and Safe Recipients Lists” will be set to “Disabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail Criteria: If the value UnblockSpecificSenders is REG_DWORD = 0, this is not a finding.

Fix Text

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Outlook 2007 -> Security -> Automatic Picture Download Settings “Automatically download content for e-mail from people in Safe Senders and Safe Recipients Lists” will be set to “Disabled”.

Additional Identifiers

Rule ID: SV-18920r1_rule

Vulnerability ID: V-17739

Group Title:

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
No CCIs are assigned to this check

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
No controls are assigned to this check