Re: 'cross site scripting' CERT advisory and MS

[dleblanc () MINDSPRING COM (David LeBlanc)]

I wanted to reply to this, and make a clarification -

At 08:57 PM 2/14/00 -0500, Rishi Lee Khan wrote:
> There is an easy way to open a web page using and email client using HTML
> parsing ... simply put in the <head> tag <meta http-equiv="REFRESH"
> content="0;URL=http://www.yourpagehere.com";>

Tried it, and it doesn't seem to work.  Created an HTML mail with this
embedded, opened it in Outlook, and no refresh.  Did a Save As to dump it
out to file, opened it with IE, got the refresh.  I'm not saying it can't
be made to work, but I can't do it, and it seems like a decent test, since
I am getting it to refresh in IE.

> Marc Slemko wrote:
> > So while disabling all the "features" that you can when reading HTML mail
> > is definitely recommended and protects you against a lot of attacks, it is
> > not a complete solution.  I seriously doubt that all the ways of
> > exploiting this issue without using scripting languages have been
> > discovered.

Now for the clarification:

I am NOT trying to solve the general problem of all the bad things that
either can happen, or are theoretically possible once you plug in the
network cable.  I am trying to solve the specific problem of cross-site
scripting attacks being delivered by e-mail.

What I recommend specifically for using Outlook (probably also applies to
other mail readers using IE as a HTML viewer) is:
1) Set it to run in the Restricted Sites zone
2) Edit the Restricted Sites zone into what I call maximum paranoia mode -
turn EVERYTHING off.  IIRC, cookies are off to begin with, but this gets
them turned off for sure.

Am I now saying that if you do this, you're safe?  Absolutely not.  You're
never safe.  A meteorite could come through the roof, or you could get hit
with an evil bug that isn't publicly known yet.  Anything can happen.  No
one expects the Spanish Inquisition!  I _am_ saying that there are a whole
bunch of things that I _know_ can get you that now won't get you.

Am I saying that HTML mail is a great idea, and that applying these
settings makes it all safe and cozy?  To quote Marc, "NO, NO, NO!!!"  IMHO,
it isn't a great idea, but lots of people use it, and I can't turn it off
in the mail reader I use at work, so I think these settings make it a much
more reasonable risk.

Speaking of which, there are still 3 things that I know of to worry about:
1) Embedded URLs in HTML mail - these will invoke the browser IF you click
on them, and the effect will depend on a lot of other issues.  You're also
now most likely running in the Internet zone, so different settings apply.
Personally, I take a look at them before clicking on them, or just type
them in.

2) HTML attachments - these aren't governed by the mail reader, but by the
browser.  Make the browser settings you think are appropriate.

3) Things I don't know about.  No telling what sort of nastiness is lurking
out there.  Definately worry about this one.  I don't think security
problems on the Internet are a passing phase - we're all in for a wild ride.

David LeBlanc
dleblanc () mindspring com