Outlook, IFRAMEs, and auto-executing .WMF files

["Richard M. Smith" <rms () computerbytesman com>]

Hi,

For most Outlook users, it looks like a .WMF file will not auto-execute from
an HTML email message using an IFRAME and the CID: protocol.  With default
security settings, Outlook (and Outlook Express) will not display any
IFRAMEs.  This change was made back in 2002 because of the Klez email worm:

   http://www.windowsitpro.com/Article/ArticleID/25269/25269.html

It did verify however, if Outlook is set to a lower security setting, a .WMF
file will auto-execute from an IFRAME in an HTML email message.  Hopefully,
it is rare that people are lowering their Outlook security settings even
though Microsoft makes it relatively easy to do.

On a related question, do Hotmail, Yahoo mail, and Gmail all block IFRAMEs
when displaying HTML email messages?

Richard M. Smith
http://www.ComputerBytesMan.com



_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.