On Thu, 10 Feb 2000, David LeBlanc wrote: > After a bit of dinking in vi, I removed the HTML, AND got it properly > indented for response, so... > > >Mark Slemko wrote: > > > >>>>2. Do not use a mail reader that forces you to display HTML messages. > >Using something like Outlook Express is very dangerous, since it > >means that you can be exploited if an email message arrives in your > >inbox and is displayed. > > This is overkill. The problem is scripting, not HTML, which are really > seperate issues. NO! NO! NO! I don't know how many times I have to say this: the problem is not just with scripting languages. Baming them there silly scripting languages is missing the whole point. Yes, most exploits would probably use scripting. But that is simply because scripting languages offer fairly complete control over a browser. A lot of that control can be obtained just by injecting HTML or making requests. For example, suppose that a server sets a cookie that it then users later to display information to the client. Say you can store the javascript within this cookie. Then simply having you make a single request to the server with the right URL could result in it setting a cookie that will stick around when you come back later. I have seen an example of this (not sending it via email though) on a real, fairly major web page and it is pretty convincing. Even when you close your browser, if the cookie sticks around (as it normally would), then going back to the site "normally" later will still give you altered content. Yes, for this example you can disable cookies when reading mail, and should anyway for other reasons. But what other ways are there to do things? I don't know. I do know that things are complex enough that I'm quite unwilling to say that disabling cookies and scripts will leave you "safe". While obviously following a link from an email, clicking on a button, doing anything on a site that appears (ie. that the URL is correct) to be a real site can be dangerous, that is a different issue. Also note that if there is any way to get Outlook Express to open a new IE window with a document in automatically when it loads an email, then you would be vulnerable if you only disabled scripting, etc. for mail and not for "normal" web access. Is there a way to do this? I don't know of any. But again, things are complex enough that I'm quite unwilling to say there is no way to do it. So while disabling all the "features" that you can when reading HTML mail is definitely recommended and protects you against a lot of attacks, it is not a complete solution. I seriously doubt that all the ways of exploiting this issue without using scripting languages have been discovered. Not that I have seen anyone publicly posting exploits that do things in any of these ways (or any other way...), which I find odd, since there are lots of vulnerable sites out there, and some vulnerabilities that are pretty serious.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:34:33 PDT