OL: Solutions Should Not Use Active Content in HTML E-Mail Messages (321847)

MORE INFORMATION

Adding custom scripts and other active content to HTML-based e-mail messages may seem to provide a simple way to expose solutions directly in someone's Inbox. However, many people consider these types of solutions a security risk, and there are a number of factors involved that frequently make these types of solutions problematic.

Microsoft primarily defines "active content" as scripting technologies such as Visual Basic Scripting Edition (VBScript) and JScript. However, for the purposes of HTML-based e-mail messages, "active content" can include other technologies that malicious developers may exploit or that users consider a security risk. Because of this, Microsoft may limit HTML capabilities more in e-mail messages in future versions and service updates of Microsoft Outlook and Microsoft Internet Explorer.

NOTE: Currently, HTML forms that do not use a scripting language are not considered active content. Therefore, Microsoft supports these HTML forms. If an HTML form does not seem to work in Outlook 2002, a bug may be affecting communication between the server and the client. For additional information, click the article number below to view the article in the Microsoft Knowledge Base: Consider the following factors if you plan to send active content as an e-mail message:

• If you lower security on a computer to allow active content in an HTML-formatted e-mail message to run, you also increase the risk of exposing the user to malicious HTML e-mail messages.
• Microsoft has heard from customers repeatedly that customers consider active content in e-mail messages a security risk. Therefore, Microsoft recommends that you develop solutions that do not have the potential to raise security concerns.
• Increasingly, Microsoft has prevented active content from running in HTML e-mail messages, especially with the Outlook 2000 E-mail Security Update (which is integrated into Outlook 2000 Service Pack 2) and Outlook 2002. Various security updates to both Microsoft Internet Explorer and Outlook may directly or indirectly affect product functionality in this area. Given the amount and the frequency of product changes in this general area, there is an increased risk that HTML-based e-mail solutions may be severely affected.
• Outlook 2002 disables some forms of active content unilaterally, regardless of Internet Explorer and Outlook security settings. According to Outlook 2002 Help:

  To protect against viruses that might be contained in HTML messages you receive, scripts won't run and ActiveX controls will be deactivated regardless of your security zone setting. By default, the Microsoft Outlook security zone is set to Restricted Site.

• Unless you are developing a solution for an organization in which all of the computers are configured consistently and locked down so that various security settings cannot be changed, it is inherently problematic to create a solution of this nature. This is especially true if multiple versions of Outlook are being used.

Given these factors, Microsoft Product Support Services (PSS) cannot provide support for these types of solutions. Instead, Microsoft recommends that a Web server host solutions that contain HTML active content. Additionally, Microsoft recommends that these solutions be rendered directly in a Web browser. If you want to enable messaging-type functionality, consider sending a link to a Web page instead of embedding the Web page directly in an e-mail message.