Outlook Web Access Corrupts HTML Attachments

Worried about why you're not getting the full content from your Email? If you're in a corporate environment, this may be the reason. Microsoft is protecting you!

By Scott Dunn Windows Secrets

The "Safe HTML" filter in Microsoft's Outlook Web Access for Exchange Server deletes code from HTML attachments without warning.

Microsoft claims the filtering protects users by removing malicious elements, but the deletions can ruin a collaborative project and the "feature" isn't present in any other Microsoft mail products.

Microsoft Exchange stealth-edits your e-mail

If you use Microsoft's Outlook Web Access (OWA) to send someone an HTML file, don't expect them to see any of the file's comments or scripts. The file you receive may look completely normal, but Microsoft has edited the comments from the file along with other material the company considers dangerous.

It gets worse. According to Microsoft Knowledge Base article 899394, OWA may corrupt the structure of the message, remove some advanced functions, and eliminate other harmless content in the message itself or any attachments.

"Even if an e-mail message appears to be unmodified in Outlook 2003, that same e-mail message may be missing content when you view the message in Outlook Web Access," the article states bluntly.

You needn't even view the attachments to have them modified by the service. Merely right-clicking an attachment and saving it to your computer causes the file's code to be stripped. Microsoft calls this feature of OWA "Safe HTML" filtering.

OWA is a component of Microsoft Exchange Server that provides a browser-accessible version of Microsoft Outlook for anyone who needs to access mail, calendar, and contact info remotely.

The filtering is intended to eliminate malicious scripts and "all potentially unsafe content" from the e-mail messages OWA receives, according to the Knowledge Base. However, as the KB article concedes, some "non-malicious content" may be removed in the process.

The feature was introduced with Exchange Server 2003, but remarks on a forum at MSExchange.org indicate that the filtering is still part of Exchange Server 2007. In one post, a user complains that OWA 2007 is removing JavaScript embedded in his HTML attachments.

It's annoying enough to have the JavaScript edited out of your HTML files, but it's difficult to comprehend how HTML comments, which are not executable, could contain malicious content.

HTML comments start with "". They cannot contain the characters "--" or ">". The comments are not visible in a browser unless you view the page source. They can also be seen if you open the file in a word processor or other text or HTML editor.

Such comments allow Web developers to insert instructions, feedback, and other information that may be useful to clients or co-workers. For example, a page's visual designer could use comments to give coding instructions or feedback to the page's HTML coder.

If the intended recipient of a comment receives the file via OWA, the page will look normal in a browser, but its HTML code will have no JavaScript or comments at all. OWA provides no warning of the deletion, so the recipient has no idea that the file ever contained any comments.

At least you'd know something is wrong with the file if the e-mail program blocked or deleted the attachment, popped up a warning, or added its own warning comments to the attachment. Simply editing the attachment without warning can be completely misleading to anyone who isn't aware of this "feature."

Outlook and other e-mail clients automatically block attachments with certain extensions, such as .js for JavaScript. But in these cases, a warning appears in the mail explaining that the attachment has been blocked.

Safe HTML filtering is found only in OWA. Neither the desktop version of Outlook nor Microsoft's other mail products (Windows Live Hotmail online and the downloadable Windows Live Mail) edit the content of messages or their attachments. Consequently, users of OWA have no precedent to prepare them for or warn them about this behavior.

Stealth security does customers a disservice

Why would Microsoft create one version of Outlook that differs so significantly from the others? For that matter, why include this feature in only one of the company's many mail products?

The Microsoft Knowledge Base article states:

"The filtering in Outlook Web Access for Exchange Server 2003 is more rigorous than the filtering in Microsoft Office Outlook 2003. The reason is that the Outlook Web Access browser interface has more security requirements than the Outlook 2003 interface."

Unfortunately, the article does not explain why the OWA security requirements need to be stricter than those for Outlook itself. If the browser-based version of Outlook is inherently riskier than the desktop version, why isn't Safe HTML filtering used in Microsoft's other Web mail products?

No easy way to preserve your HTML files in OWA

The only workaround offered by the KB article is to post files that you don't want corrupted to a shared network resource and then send the recipient a link to that location via e-mail.

An alternative is to compress your HTML files into a .zip file prior to sending them as e-mail attachments; OWA does not edit the contents of compressed files.

Of course, people expect the files they send via e-mail to be delivered in the same condition in which the files were sent. If a file can't be sent for any reason, customers have every right to expect a warning or explanation.

OWA does neither. The service silently edits perfectly safe comments while giving the impression that your e-mail and attachments have arrived in the same state they were sent in.

It's time for Microsoft to provide clear warnings of this behavior as well as an option for turning the "feature" off.