Microsoft Outlook Express

Outlook Express is an e-mail and news client included in versions of Microsoft Windows from Windows 95 OSR-2 to Windows XP Service Pack 2 (SP2). It is also bundled with Internet Explorer, and available for the classic Apple Macintosh operating system. Microsoft Entourage, which is sold as part of Microsoft Office for Macintosh, has replaced Outlook Express for Mac OS X.

Outlook Express is the successor of Microsoft Internet Mail and News, an early e-mail client add-on for Internet Explorer 3.0.

In October 2005, Microsoft announced that Windows Vista would include a new application named Windows Mail, effectively discontinuing Outlook Express. Microsoft is also developing Windows Live Mail Desktop, a replacement for Outlook Express in Windows XP and a superset of Windows Mail in Windows Vista.

Description
Outlook Express is a different program from the Microsoft Office Outlook e-mail client which ships with Microsoft Office for Windows. The two programs do not share common code, but do share a common architectural philosophy. The similar names lead many people to incorrectly conclude that Outlook Express is a stripped down version of Outlook.

Windows 95 included Internet Mail and News, a simple precursor to Outlook Express. Internet Mail and News handled plain text e-mail (not HTML mail), and had none of the security holes Outlook is known for. However, Microsoft did not provide it with a way to back up the address book — something that would later create a great deal of frustration among users.

Outlook Express has been vulnerable to a number of problems which could corrupt its files. This has led to a thriving market for programs which can backup, restore, and recover corrupted OE files. A cursory Web search on the term Outlook Express will reveal dozens of such rescue programs. However, Microsoft has released a procedure for Windows XP which may be able to correct problems and restore access to e-mail messages without resorting to third party solutions using their Outlook Express Basic Repair Kit.

Security issues
Outlook was one of the first e-mail clients to allow a virus in e-mail body (which is not in an attachment), disseminating e-mail viruses by only opening it. That's because Outlook allowed web pages and executable script as email.

In the "Welcome e-mail" for both Outlook and Outlook Express, Microsoft acknowledged that with new HTML e-mail, security was a risk, and described their plan for foiling the security risk. Outlook Express and Internet Explorer both featured security zones—a feature not found in competing products. The zones were Intranet, Internet, Trusted, and Restricted. Internet was for any site not in a zone. Trusted sites could do things without asking user's permission. The trusted zone was clearly designed for administrators who wanted to allow updating without any confusion. AOL used it to add http://free.aol.com to ensure that users who wanted to download their online service client software didn't have to grant them permission via an ActiveX dialog box. AOL was worried that the warning might scare away potential customers. AOL's action required an Internet Explorer hack that should not have been possible if Microsoft's zones had worked as intended. Rather than the zones being controlled by the user, AOL had shown that remote sites could alter them.

But that was a relatively benign breach due to Microsoft's implementation of the plan. Another flaw was the fact that the "Restricted" security zone wasn't restrictive enough. A script could automatically open as an attachment. Another aggravating factor was a bug in Outlook Express's attachment handling that allowed an executable to appear to be a harmless attachment such as a graphics file. This bug was later fixed so that only the last '.' represented the end of the filename and the beginning of the file extension&mdash;the correct behavior for the Windows filesystem. Opening or previewing an e-mail can cause code to run without the user's knowledge or consent. In fact, turning off the preview pane only seemingly circumvents this vulnerability. Even when the preview pane is turned off, Outlook Express automatically "internally" opens the first message in the inbox (see). A host of viruses exploited this.

Outlook Express uses Internet Explorer to render email. So even if users completely avoid use of Internet Explorer and use only other browsers, they are exposed to all its security holes when using Outlook Express. And Internet Explorer is designed to try to execute almost any executable and script it encounters in an effort to make browsing an "easy" experience, which has also enabled it to be the vector of most viruses and other malware.

Obtaining security fixes
Any security fixed acknowledged by Microsoft is handled according to Microsoft's internal security policy, and when necessary, patches are distributed via Microsoft Update. Some minor non-security problems are documented in the knowledge base. Calls to Microsoft's technical support about obtaining patches are without charge.

On the Macintosh platform, Outlook Express uses the Tasman engine, and any support to be had should be found at Mactopia. Microsoft no longer formally supports the product, however.

Secunia's database of security vulnerabilities lists many more flaws (some dating back to 2002) for which Microsoft has not released a patch.

Handling of PGP/MIME signed messages
Outlook Express doesn't correctly handle MIME, and won't display the body of signed messages inline. Users get a blank email and two attachments (one of the message text and one of the signature) and therefore need to open an attachment to see the email.

Storage location of email data
If a user has not been backing up Outlook Express periodically, they may find that the program does not permit an easy 'rescue' of data, for example from a hard drive that is accessible but can no longer be used to boot up from. For those willing to tinker with files themselves in order to rescue their Inbox and Sent Items, and it is useful to know that Outlook Express stores its email files in a location such as the following: "C:\Documents & Settings\Administrator\Local Settings\Application Data\Identities\{SDOCE8ABD-5896-3E3D5}\Microsoft\Outlook Express" where 'Administrator' is the user's logon ID and the value in curly-brackets {} is an arbitrary string. Corresponding folders should be found on both the new hard drive and the old one. However, simply copying files from old to new may not be ideal.

It may help to first run the new version of Outlook Express, create some uniquely-named folders within Outlook Express, e.g. 'Rescued Inbox' (be sure to click on the new folder to actually force the program to create the file 'Rescued Inbox.dbx'). Then quit Outlook Express, find the old inbox on the old hard drive and rename it 'Rescued Inbox.dbx', and finally copy it over to replace the newly formed 'Rescued Inbox.dbx' on your new hard drive. This prevents loss of any new emails, and also ensures that the new version 'knows' about the rescued emails being copied over.

Email addresses data
Outlook Express does not store its own email address list. Instead it relies on the Windows Address Book, which is actually a component of Windows. The address book data are typically found (in NT based versions of Windows) at "C:\Documents and Settings\%USERNAME%\Application Data\Microsoft\Address Book\".

Versions and file formats
Outlook Express stores its e-mail messages in different formats depending on the version.
 * Outlook Express v4, which shipped with Windows 98 (June 1998), stored messages in *.mbx files.
 * Outlook Express v5, which shipped with Windows 98SE (June 1999), switched to *.dbx files, with a separate file for each mailbox folder.
 * Outlook Express v5.50 shipped with Windows 2000 (February 2000)
 * Outlook Express v5.5 shipped with Windows Me (June 2000)
 * Outlook Express v6, which is included with Windows XP, also stores messages in *.dbx files.
 * Windows Mail, which ships with Windows Vista, stores messages in individual *.eml files.

Microsoft

 * Outlook Express home page for Windows
 * Outlook Express home page for Macintosh
 * Differences between Outlook and Outlook Express, from the Microsoft knowledge base
 * How to manually remove and reinstall Outlook Express

Other sites

 * Inside Outlook Express Tips, FAQs, Bug fixes
 * Outlook Express Tips Avoiding viruses, spam and quicker usage of Outlook Express
 * Secunia commercial security firm compares the latest unpatched known flaws of Outlook Express with those of other e-mail clients
 * Outlook Express E-mail Configuration- Configuration of Incoming/Outgoing E-mail Accounts in Outlook Express.
 * Outlook Express API article article giving an introduction about how to use some of the Outlook Express API.
 * Using emails in Outlook Express tutorial about how to compose, send and receive emails in Outlook Express.