funsec mailing list archives
RE: Ilfak's WMF patch v. Microsoft's solution
From: "Richard M. Smith" <rms () computerbytesman com>
Date: Mon, 2 Jan 2006 16:35:32 -0500
Yep, so the bad guys will have to do social engineering to get people click on a link to spread a worm. I wonder then if a <a href=> tag can use a cid: URL. If so, a worm can be self-contained inside of an HTML email message and not require an external Web site to operate. External Web sites can be shutdown to stop a spreading worm. A self-contained worm OTOH is harder to stop. As an aside, the IFRAME blocker in Outlook also works with regular HTML FRAME's. Richard -----Original Message----- From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Matthew Murphy Sent: Monday, January 02, 2006 4:12 PM To: funsec () linuxbox org Subject: Re: [funsec] Ilfak's WMF patch v. Microsoft's solution -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Richard M. Smith wrote:
I believe that it is possible that all versions of Outlook and Outlook Express will render an IFRAME in HTML email messages if the IFRAME uses the CID: protocol to reference an attached file. IFRAMEs will work in this situation regardless of security settings. I know for example that Outlook 2003 never blocks images loaded with the CID: protocol in HTML email messages.
IFRAMES haven't worked in either product for years. MS02-023 blocked the Restricted Sites zone from rendering IFRAMEs. That change has been forward-ported into every further IE release. Outlook Express 6.0 defaults to rendering e-mail in the restricted sites zone, as do Outlook 2002 and 2003. Outlook 2000 with the Outlook E-mail Security Update does the same. Therefore, IFRAMEs are no longer a threat to users of those products.
If my theory is correct, then it should be possible to build a worm that auto-executes simply by reading an HTML email message. The worm also would not require an external Web site to operate.
Incorrect.
I asked Microsoft about the IFRAME/CID: issue on Friday. They haven't said yet if this is a problem or not. I don't have any good way to test it myself.
Perhaps the reason they haven't gotten back to you is because that type of function hasn't been an issue for about three years. - -- "Social Darwinism: Try to make something idiot-proof, nature will provide you with a better idiot." -- Michael Holstein -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDuZcsfp4vUrVETTgRA3K4AJ9/ms1BGWm7hwXDeDFvhICRj0SySwCgj88i y3INUnL/zgWszvty798m8wM= =p6dS -----END PGP SIGNATURE----- _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- RE: Ilfak's WMF patch v. Microsoft's solution, (continued)
- RE: Ilfak's WMF patch v. Microsoft's solution Richard M. Smith (Jan 02)
- RE: Ilfak's WMF patch v. Microsoft's solution Hank Nussbacher (Jan 02)
- RE: Ilfak's WMF patch v. Microsoft's solution Richard M. Smith (Jan 02)
- Re: Ilfak's WMF patch v. Microsoft's solution Alex Shipp (elist) (Jan 03)
- RE: Ilfak's WMF patch v. Microsoft's solution Larry Seltzer (Jan 02)
- RE: Ilfak's WMF patch v. Microsoft's solution Richard M. Smith (Jan 02)
- RE: Ilfak's WMF patch v. Microsoft's solution Larry Seltzer (Jan 02)
- Re: Ilfak's WMF patch v. Microsoft's solution Aviram Jenik (Jan 02)
- RE: Ilfak's WMF patch v. Microsoft's solution Richard M. Smith (Jan 02)
- Re: Ilfak's WMF patch v. Microsoft's solution Matthew Murphy (Jan 02)
- RE: Ilfak's WMF patch v. Microsoft's solution Richard M. Smith (Jan 02)
- Re: Ilfak's WMF patch v. Microsoft's solution Matthew Murphy (Jan 02)
- potential worm exploiting WMF [was: Ilfak's WMF patch v. Microsoft's solution] Gadi Evron (Jan 03)
- Re: potential worm exploiting WMF [was: Ilfak's WMF patch v. Microsoft's solution] Matthew Murphy (Jan 03)