Bugtraq mailing list archives

Re: IE5 allows executing programs

From: dleblanc () MINDSPRING COM (David LeBlanc)
Date: Tue, 7 Sep 1999 11:23:17 -0700


A couple of people have sent me mail asking how to set Outlook 2000 such
that mail comes in under the 'Restricted Sites' zone.  Here's how:

select Tools menu, Options item
select security tab

The area you want is in the middle of the page in the section marked
'Secure Content'.  Default setting is 'Internet', which isn't too bad, but
'Restricted Sites' is better.  One good reason for this is that most people
don't have any sites in 'Restricted Sites' list, so anything you set in
that zone won't screw up your normal web browsing.  Another good reason is
that the default security settings are better for this zone.  Even with the
'High Security' settings, I like to go in and tweak the following:

Script ActiveX Controls Marked Safe for Scripting - ActiveX seems to be
disabled in other places, but go ahead and set this to prompt or disable
just in case there is some exception I'm not aware of.

Microsoft VM Java Permissions - the sandbox is set to high, but given that
every Java VM out there has had a breach or another, and you don't know
when the next will show up, I disable this.  Who needs dancing bunnies in
their e-mail anyway?

Scripting, Active Scripting - I set this to disable.

I haven't noticed any legitimate e-mail breaking, so I think these changes
can be made without impacting anything you or your users might want.
Please test this on your own before doing this to lots of machines.  YMMV.
The above is what I personally do, and may or may not reflect the views of
my employer or anyone else.

I'm reasonably sure that these settings disallow all of the e-mail attacks
(attachments notwithstanding) that I'm aware of, so this should help make
your system more secure against not only known attacks, but whole classes
of undiscovered issues.

I'm not sure what the variants of Outlook allow in this respect - I think
the same thing was in Outlook 97, but I don't have it installed so I can't
go check.  Not sure about Outlook Express, and I don't know how Eudora 4.x
works with this, either.

David LeBlanc
dleblanc () mindspring com

Current thread:

Re: IE5 allows executing programs David LeBlanc (Aug 30)
- <Possible follow-ups>
- Re: IE5 allows executing programs SysAdmin (Aug 30)
  - Re: IE5 allows executing programs Jim Frost (Sep 01)
  - Re: IE5 allows executing programs David LeBlanc (Sep 01)
    - Re: IE5 allows executing programs Brad Griffin (Sep 02)
    - Re: IE5 allows executing programs David LeBlanc (Sep 07)
    - re, anti btrom Martin Markovitz (Sep 08)
    - Re: IE5 allows executing programs Paul L Schmehl (Sep 08)
    - SDI AMD remote exploit for RH linux Thiago (Sep 02)
  - Re: IE5 allows executing programs J MacCraw (Sep 07)
- Re: IE5 allows executing programs David LeBlanc (Sep 03)
- Re: IE5 allows executing programs Kragen Sitaker (Sep 05)
  - Re: IE5 allows executing programs Jesper M. Johansson (Sep 08)
  - Re: IE5 allows executing programs SysAdmin (Sep 08)
    - Re: IE5 allows executing programs Haxor, Wikit (Sep 16)
    - Two SuSE 6.2 local root exploits Brock Tellier (Sep 16)

(Thread continues...)