Independent security consultant Richard Smith pointed to four "questionable security policies" in Outlook 2002 that Microsoft has yet to fix, even though he notified the company of the problems over the past twelve months.
Microsoft did not immediately return calls seeking comment.
Smith said the most critical problem is that Outlook will automatically download potentially dangerous files sent in certain hypertext markup language (HTML) e-mail messages. The warning applied to e-mails with IFRAME HTML tags embedded in the message. If a user reads such an e-mail, Outlook will begin downloading executable files from a Web specified in the message.
"Outlook will put up a dialog box asking a user if they want to open the file, save it, or cancel the download," Smith wrote. "There is no security warning that the executable file might be dangerous. Unfortunately, the default action of the dialog is 'Open'."
Smith recommended that IFRAME tags be used only in conjunction with HTML, image and text files.
"In Outlook, URLs are limited to about 2,000 characters which is probably enough space to contain a simple worm which could exploit one of the known Internet Explorer security holes," said Smith.
In addition, Smith claimed that cookies can be set and read in HTML e-mails despite Outlook's default settings to turn cookies off. Cookies are small programs that collect information about which sites users visit on the Internet. While cookies can make life easier by identifying users when they return to a site, they can also be used to track Internet usage, making them a contentious privacy issue.
Smith contended that Microsoft's Outlook and Internet Explorer development teams disagree on the potential threat posed by .URL files, causing disruptive messages to appear occasionally when working with the two applications.
"The Outlook group sees them as security threat, while the IE group does not," Smith said.
He also noted that: "These problems are likely to affect earlier versions of Outlook as well as Outlook Express."