RE: Ilfak's WMF patch v. Microsoft's solution

["Richard M. Smith" <rms () computerbytesman com>]

Yep, so the bad guys will have to do social engineering to get people click
on a link to spread a worm.  I wonder then if a <a href=> tag can use a cid:
URL.  If so, a worm can be self-contained inside of an HTML email message
and not require an external Web site to operate.   External Web sites can be
shutdown to stop a spreading worm.  A self-contained worm OTOH is harder to
stop. 

As an aside, the IFRAME blocker in Outlook also works with regular HTML
FRAME's.

Richard 

-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On
Behalf Of Matthew Murphy
Sent: Monday, January 02, 2006 4:12 PM
To: funsec () linuxbox org
Subject: Re: [funsec] Ilfak's WMF patch v. Microsoft's solution

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Richard M. Smith wrote:
> I believe that it is possible that all versions of Outlook and Outlook 
> Express will render an IFRAME in HTML email messages if the IFRAME 
> uses the
> CID: protocol to reference an attached file.  IFRAMEs will work in 
> this situation  regardless of security settings.  I know for example 
> that Outlook
> 2003 never blocks images loaded with the CID: protocol in HTML email 
> messages.

IFRAMES haven't worked in either product for years.  MS02-023 blocked the
Restricted Sites zone from rendering IFRAMEs.  That change has been
forward-ported into every further IE release.

Outlook Express 6.0 defaults to rendering e-mail in the restricted sites
zone, as do Outlook 2002 and 2003.  Outlook 2000 with the Outlook E-mail
Security Update does the same.

Therefore, IFRAMEs are no longer a threat to users of those products.

> If my theory is correct, then it should be possible to build a worm 
> that auto-executes simply by reading an HTML email message.  The worm 
> also would not require an external Web site to operate.

Incorrect.

> I asked Microsoft about the IFRAME/CID: issue on Friday.  They haven't 
> said yet if this is a problem or not.  I don't have any good way to 
> test it myself.

Perhaps the reason they haven't gotten back to you is because that type of
function hasn't been an issue for about three years.

- --
"Social Darwinism: Try to make something idiot-proof, nature will provide
you with a better idiot."

                                -- Michael Holstein

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDuZcsfp4vUrVETTgRA3K4AJ9/ms1BGWm7hwXDeDFvhICRj0SySwCgj88i
y3INUnL/zgWszvty798m8wM=
=p6dS
-----END PGP SIGNATURE-----
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.