Title

The use of the weather bar in Outlook must be disabled (Cat II impact)

Discussion

The Weather Bar in Outlook displays weather conditions and forecast for a geographic location. By default, Outlook uses weather data provided by MSN Weather. The Weather Bar supports third-party weather data web services that follow a defined protocol to communicate with Outlook. As long as a third-party weather data service supports this protocol, users can choose that weather data service to provide weather data in the Weather Bar. Since the Weather Bar communicates to external, commercial weather sites, enabling it introduces the possibility of connections to malicious sites that could download malware into the environment.

Check Content

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Outlook Options -> Preferences -> Calendar Options -> "Disable Weather Bar" is set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\software\policies\Microsoft\office\15.0\outlook\options\calendar Criteria: If the value disableweather is REG_DWORD = 1, this is not a finding.

Fix Text

Set the policy User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Outlook Options -> Preferences -> Calendar Options -> "Disable Weather Bar" to "Enabled".

Additional Identifiers

Rule ID: SV-54068r1_rule

Vulnerability ID: V-41492

Group Title: DTOO424 - Disable weather bar in Outlook

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.