IE ‘Critical Update’ Trashes Outlook Fonts (Outlook 2000, 2002)

Topic

New Reply

Outlook 2000 SR1
Installed the MS023 tonight an do not see any problems yet.

I have installed the May 11 2002, View Control Security Update.

I have NOT installed the SP2 or the Aug 9, 2001, Extended E-mail Security Updates.

Reply | Quote

Replies

Ray –

Try clicking the “Organize” or “Find” icons on the toolbar.

Do the instructions appear in Times New Roman? They should be in Tahoma…

Reply | Quote

Woody,
I have installed the “MS023” patch. I tried doing a search within Outlook 2002 and had NO problems.

I am running Windows XP Pro, and Office 2002, with Outlook version as 10.2627.2625. I have NOT installed any of the Service Releases.

DaveA I am so far behind, I think I am First
Genealogy....confusing the dead and annoying the living

Reply | Quote

in outlook 2002, only Organize is messed up. It’s butt ugly. Find in OL2002 is the tiny little bar and doesn’t use css. In 2000, Find is as ugly as Organize.

In testing, it only looks ugly, but it still works. It uses the fonts from IE, so you can change it.

Reply | Quote

This is Win98SE with Outlook98. The Organize and Find text is in TimesNewRoman — as described — but it certainly does not look that bad…

Reply | Quote

I am not entirely clear on how the update did this. As best I can tell this is related to the second vulnerability: “Local Information Disclosure through HTML Object (CAN-2002-0191)”.

This vulnerability involves the potential reading of information stored locally (on your computer). The “mitigating factor” is that the file to be read must contain “a particular, individual ASCII character”. MS steps all around and never tells you the character: the left “brace” or “curly-backet” (“{“). I suspect this character must be fairly ubiquitous in Cascading Style Sheets. The demonstration of this vulnerability is here: http://sec.greymagic.com/adv/gm004-ie/%5B/url%5D

On my trials, I found that only some portions of a given file (which must contain a left curly brace) could be read. So, to me the vulnerability is quite limited.

The patch claims to fix this: “by implementing proper handling of the HTML object in question when it makes calls to files on the local system.” Whatever that means…

It seems that Outlook98 uses HTML files to create the “panes” that appear when you click “Find” or “Organize”. These pages are located as “resources” inside this file: Outlwvw.dll. On my Win98 system with Outlook98, this resides in C:Program FilesMicrosoft OfficeOffice.

The HTML resources are entitled Find.htm and Org.htm respectively. It appears that the “Style” of these pages — including the text fonts — are controlled in a CSS (Cascading Style Sheet) file. The one in question is also appears to be a “resource” inside Outlwvw.dll and it is called “Org.css”.

If you open Outlwvw.dll with a binary file viewer you can actually see these things. I believe this is the begining of Find.htm:
—————————–

———————————–
You will of course note this line: REL=stylesheet HREF=”res://outlwvw.dll/org.css”.
As I stated, this should be pointing to the style sheet for Find.htm.

Here is the header for the Org.htm file:
————————–

—————————-
Again you see the same style sheet called.

SOMEHOW the new patch screws up the way Outlook is calling this LOCAL CSS resource. Time to run, but I thought you might find this input intriguing.

Reply | Quote

In fact, that’s EXACTLY what happened.

Details coming up in WOW this week. Stay tuned.

Excellent sleuthing, by the way…

Reply | Quote

Thanks. Sorry to run before I was finished, but I had to get the kids to bed. :-]

At the end of what appears to be “Org.htm” (aka Organize Webview) — before the next NULL character — there is ‘style sheet’ information which I suspect IS the “Org.css” file. The beginning of this resource looks like this:
———————————————————–

<!–

.option {
font-family: "Tahoma";
font-weight: normal;
font-size: 8pt;
color:window;
cursor:hand;
text-decoration:underline;
}

.optionselected {
font-family: "Tahoma";
font-weight: normal;
font-size: 8pt;
color:windowtext;
cursor:hand;
text-decoration:underline;
}

.title { font-size: 12pt;
font-weight: bold;

}
—————————————-

Etc, etc. At least two things are worth noting:
1) the "left curly brace" certainly IS important in CSS files (duh!, I wish I really understood coding!)
2) the ".option" section MOST LIKELY is to specify the font that we SHOULD be seeing in both he Organize and Find panes. As you stated — is it Tahoma not Times New Roman. Also notice that the ".title" section has no specified font and I suspect that means TimesNewRoman is the default font to be used.

Let me jump off topic for one second. You CAN change the default IE fonts. For "English" — or perhaps even "US English" — they appear to be stored here:
——————-
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerInternationalScripts3
IEPropFontName="Times New Roman"
IEFixedFontName="Courier New"
——————-
There are other numbered sub-keys there that MAY be for other languages — otherwise I don't know why there is more than one. My computer here in the US uses sub-key "3".

Back on topic:
So… when you click on the Find or Organize buttons, Find.htm or Org.htm are called to open — and they are supposed to use the CSS information stored in the "Org.css" resource inside Outlwvw.dll. This CSS resource is in the EXACT SAME file that the .htm resources are located in — namely Outlwvw.dll. These are all located on your computer, so one would expect them to be in the MyComputer (aka LocalMachine) zone. One would suspect that few restrictions would be placed on this relatively simple transaction.

However, after the MS02-023 patch, the ability to use a local CSS file seems to have been severely impaired. Exactly how "implementing proper handling of the HTML object in question when it makes calls to files on the local system" translates into: "we screwed up your ability to use a local CSS resource in the same .dll file as the .htm resource" — is way beyond my ability to grasp.

You will note, MS again feels the need to shroud this in mystery. They don't come out and say "Left Curly Brace" ({) — it is the "particular, individual ASCII character". (The original version of the MS02-023 bulletin had a difficult time even spelling the word "particular".) Additionally, MS feels the need to obscure the issue further by using terms like "the object in question". Are they simply referring to a Cascading Style Sheet? Is that the 'secret' object, or do they mean something else? It is interesting that in the bulletin in question "the object in question" must call on a file with "the particular character in question". Gee, could they be a little more vague?

There are two interesting registry values that get queried upon opening the the "Organize" pane. They are:
—————————————
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain
"CSS_Compat"=""
"Use Stylesheets"=""
—————————————-
I had originally hoped that adding these non-existent values — and setting them to "yes" — might override this CSS blockage. But, so far on my preliminary trials this has not succeeded.

A Google search of "CSS_Compat" was fruitless and it appears that "Use Stylesheets" is "yes" by default…
http://support.microsoft.com/default.aspx?…b;en-us;Q183717%5B/url%5D
http://support.microsoft.com/default.aspx?…b;EN-US;q272518%5B/url%5D

Oh well. Good luck on your upcoming expos

Reply | Quote

Er, WOW!

That’s the most thorough – and accurate – explanation I’ve seen.

OK if I quote you?

Reply | Quote

It’s fine with me!

Reply | Quote

You can also change the fonts using Tools – internet options – general tab – fonts button at the bottom of the tab from within IE to fix the problem while we are waiting for the patch. The font is still a bit big in Outlook though. This fix does mean all webpages with stylesheets are in Tahoma. But that is probably not a bad thing

Reply | Quote

I’m getting reports from all over the place that installing the Internet Explorer “Critical Update” MS released yesterday (MS02-023, http://www.microsoft.com/technet/security/…in/MS02-023.asp%5B/url%5D ) trashes the Outlook 2000 and 2002 “Find” and “Organize” fonts.

I’m about to install the update on a sacrifical machine, and should have a special WOW out shortly.

If any of you have hit the problem, could you send me confirmation, observations – and any suggestions you might have for fixing it? Send me mail directly – talk2woody@woodyswatch.com

Thanks!

Reply | Quote

Woody, call me stoopid (ok, you’re stoopid!), but could the font change be anything to do with the virus attachments that substitiute common filenames with I’s and L’s in order to mislead users? Is BS, I mean MS trying to slowly rectify that particular visual security hole?

Am I making any sense?

Reply | Quote

Nope, Woody is right that it’s the patch.

From information i’ve gleened from other sources, the IE patch blocks HTML from reading style sheets located on local machines. Outlook uses several web style pages that are stored in a dll and that dll uses a global style sheet, instead of including the css in the page.

I’m trying to find out if any other applications will be affected, since we’re pushing the patch out to desktops Monday morning. I don’t want to spend all day answering calls about programs not looking ‘right’.

Reply | Quote

It affects FrontPage drastically, anyone got a fix for that? (She says looking for the FrontPage forum)

Reply | Quote

yes… use inline css.

Reply | Quote

Nope, it’s more subtle. Details coming in WOW this week…

Reply | Quote