funsec mailing list archives
RE: Ilfak's WMF patch v. Microsoft's solution
From: "Richard M. Smith" <rms () computerbytesman com>
Date: Mon, 2 Jan 2006 08:18:55 -0500
I wish I knew how to build an email message with IFRAME and the CID: protocol. It don't feel conformtable assuming this trick wouldn't work. BTW, I discovered that there are different types of .WMF files. Certain .WMF files are displayed by IE directly and do not fire up the Windows Picture/FAX viewer when they are referenced by an IFRAME. Richard -----Original Message----- From: Larry Seltzer [mailto:larry () larryseltzer com] Sent: Monday, January 02, 2006 7:58 AM To: 'Richard M. Smith'; funsec () linuxbox org Subject: RE: [funsec] Ilfak's WMF patch v. Microsoft's solution You're also presuming that the format and implementations of CID: support WMFs. The fact that we haven't seen one so far makes me wonder if this is the case. I think the CID format is described here: http://www.rfc-editor.org/rfc/rfc2111.txt and there is more useful info here: http://mailformat.dan.info/body/html.html Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.ziffdavis.com/seltzer Contributing Editor, PC Magazine larryseltzer () ziffdavis com -----Original Message----- From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Richard M. Smith Sent: Monday, January 02, 2006 7:27 AM To: funsec () linuxbox org Subject: RE: [funsec] Ilfak's WMF patch v. Microsoft's solution I believe that it is possible that all versions of Outlook and Outlook Express will render an IFRAME in HTML email messages if the IFRAME uses the CID: protocol to reference an attached file. IFRAMEs will work in this situation regardless of security settings. I know for example that Outlook 2003 never blocks images loaded with the CID: protocol in HTML email messages. If my theory is correct, then it should be possible to build a worm that auto-executes simply by reading an HTML email message. The worm also would not require an external Web site to operate. I asked Microsoft about the IFRAME/CID: issue on Friday. They haven't said yet if this is a problem or not. I don't have any good way to test it myself. Richard _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- RE: Re[4]: Ilfak's WMF patch, (continued)
- RE: Re[4]: Ilfak's WMF patch Richard M. Smith (Jan 02)
- Re[6]: Ilfak's WMF patch Ilfak Guilfanov (Jan 02)
- Re: Re[4]: Ilfak's WMF patch Valdis . Kletnieks (Jan 02)
- Ilfak's WMF patch v. Microsoft's solution Richard M. Smith (Jan 01)
- Re: Ilfak's WMF patch v. Microsoft's solution Matthew Murphy (Jan 01)
- RE: Ilfak's WMF patch v. Microsoft's solution Richard M. Smith (Jan 02)
- RE: Ilfak's WMF patch v. Microsoft's solution Hank Nussbacher (Jan 02)
- RE: Ilfak's WMF patch v. Microsoft's solution Richard M. Smith (Jan 02)
- Re: Ilfak's WMF patch v. Microsoft's solution Alex Shipp (elist) (Jan 03)
- RE: Ilfak's WMF patch v. Microsoft's solution Larry Seltzer (Jan 02)
- RE: Ilfak's WMF patch v. Microsoft's solution Richard M. Smith (Jan 02)
- RE: Ilfak's WMF patch v. Microsoft's solution Larry Seltzer (Jan 02)
- Re: Ilfak's WMF patch v. Microsoft's solution Aviram Jenik (Jan 02)
- RE: Ilfak's WMF patch v. Microsoft's solution Richard M. Smith (Jan 02)
- Re: Ilfak's WMF patch v. Microsoft's solution Matthew Murphy (Jan 02)
- RE: Ilfak's WMF patch v. Microsoft's solution Richard M. Smith (Jan 02)
- Re: Ilfak's WMF patch v. Microsoft's solution Matthew Murphy (Jan 02)
- potential worm exploiting WMF [was: Ilfak's WMF patch v. Microsoft's solution] Gadi Evron (Jan 03)
- Re: potential worm exploiting WMF [was: Ilfak's WMF patch v. Microsoft's solution] Matthew Murphy (Jan 03)