Main Page | See live article | Alphabetical index

Outlook Express

Microsoft's Outlook Express is a email client provided for free by Microsoft. Outlook and Outlook Express are completely distinct platforms without common code, but the similar names lead some to incorrectly conclude that Outlook Express is a "stripped" version of Outlook. It is supplied free with Internet Explorer, which may or may not be freely available when future versions are released.

Microsoft claims the possible end to a freely downloadable browser is due to the fact that "further enhancements to security" will require Internet Explorer to be run only on a newly secured platform, Longhorn.

An installer icon for Internet Explorer 3.0 eventually made its way through Windows history to the Windows 95 desktop. It included Internet Explorer Mail and News, a precursor to Outlook Express. Internet Mail and News was just plain text, and had none of the security holes Outlook is known for. It did support HTML as an attachment, but would not display it as message content.

When Microsoft announced Outlook Express, they announced that they had created a mail client better than Eudora. It supported HTML composition, something only Eudora Pro supported. However, Eudora also supported (in both pro and light versions) limited HTML support (it definitely supported hyperlinking-- it is debatable whether it supported W3C standards for rich text), but it did support it. It did not support the displaying of remote images, nor tables, nor JavaScript. JavaScript and remote images were the cause of many of its security and privacy issues. Outlook Express is as insecure as Internet Explorer, because they allowed the distinction to blur between a trusted application, a beneign e-mail, and a remote webpage. Their vision for web applications caused them to integrate the browser into the mail client, with full scripting support.

In the "Welcome e-mail" for both Outlook and Outlook Express, Microsoft acknowledged that with new HTML e-mail, security was a risk. And they described their plan for foiling the security risk. Outlook and Internet Explorer both featured security zones-- a feature still not found in any of the competition. The zones were Intranet, Internet, Trusted, and Restricted. Internet was for any site not in a zone. Trusted sites could do things without asking user's permission, and was clearly designed for administrators who wanted to allow updating without any confusion. AOL used it to add to ensure that users who wanted to download their online service client software didn't have to grant them permission via an ActiveX certificate dialog box whose well-warranted warning might scare away potential customers. That required an Internet Explorer hack that should not have been possible if Microsoft's zones had worked as intended. The security zones were supposed to be user-controlled.

But that was a relatively benign breach due to Microsoft's implemention of the plan. Another flaw was the fact that the "Restricted" security zone wasn't restrictive enough. A script could automatically open as an attachment. (Another mitigating factor was a bug in Outlook's attachment handling that allowed an executable to be appear to be a harmless attachment such as a graphics file.) This bug was later fixed so that only the last . represented the end of the filename and the beginning of the file extension--the correct behavior for the Windows filesystem. And all of the sudden opening an e-mail (or previewing an e-mail, the preview pane was copied from Eudora Pro, but it was a relatively recent phonomenon in mail clients), could cause code to run without your express knowledge or consent. Viruses exploited this. See Outlook and Trustworthy Computing Intiative for more information on how Microsoft has responded.

While Outlook Express is regarded by some as a de-facto standard because of its filtering capabilities (which some regarded as being more powerful than Eudora Light's email filters were at the time) and HTML composition (which, however, has been the vector of worms and viruses).

Outlook Express' Draft folder feature is viewed Microsoft's own creation. The draft folder has been implemented by numerous other mail clients, except interestingly Eudora which has maintained its legacy popular In and Out metaphor -- its Out box handling queued and sent messages.

As of late, Microsoft has talked of halting development on Outlook Express, but has not stopped support or use of the software with its Windows operating system.