Re: Microsoft Security Bulletin MS01-055

From: Clover Andrew (acloverat_private)
Date: Mon Nov 12 2001 - 07:14:53 PST

Next message: Thomas Reinke: "Re: Microsoft IE cookies readable via about: URLS"

Previous message: William Salusky: "Fwd: Possible DDOS network being built through ssh1 crc compromised hosts"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Microsoft Product Security <secnotifat_private> wrote:

> Mitigating Factors: [...]

> Users who have set Outlook Express to use the "Restricted
> Sites" Zone are not affected by the HTML mail exploit of this
> vulnerability

Sorry, but this is not true.

Whilst pages in the Restricted Sites zone are barred from using active
scripting, there are other ways of redirecting the user to a malicious
about: URL. Two I can think of straight away that require no user
intervention are:

  <meta http-equiv="refresh" content="1;url=about:...">
  <iframe src="about:...">

both work on Outlook 2000 with mail content in the Restricted Sites
zone. Since I stated exactly this whilst discussing the previous
vulnerability with secure@microsoft, I'm disappointed to see this
argument wheeled out again.

-- 
Andrew Clover
Technical Consultant
1VALUE.com AG

Next message: Thomas Reinke: "Re: Microsoft IE cookies readable via about: URLS"
Previous message: William Salusky: "Fwd: Possible DDOS network being built through ssh1 crc compromised hosts"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Nov 12 2001 - 10:26:13 PST