funsec mailing list archives
RE: 2 critical vulns and the clock is ticking..[Fwd: [EEYEB-2000801]]
From: "Richard M. Smith" <rms () computerbytesman com>
Date: Tue, 10 Jan 2006 22:10:49 -0500
Thanks for the background. Is there anyway to find out all the flavors of MIME types that Outlook and Outlook Express will accept as email messages? Can everything but plain text and HTML then be turned off in Outlook and Outlook Express? Richard -----Original Message----- From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Matthew Murphy Sent: Tuesday, January 10, 2006 7:02 PM To: funsec () linuxbox org Subject: Re: [funsec] 2 critical vulns and the clock is ticking..[Fwd: [EEYEB-2000801]] -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Gadi Evron wrote:
OK, so we have an advisory for this. Fun. Any idea about the NGSsoftware one? Gadi.
It appears that NGSSoftware's report is related to the TNEF functionality that supports embedding COM/OLE/ActiveX objects into RTF e-mail. The MS bulletin states that TNEF files can contain "malicious OLE objects" which I take to mean you can embed items that, when viewing on them is triggered, execute code that may not be safe for a mail-reading environment. Exactly what that has to do with Exchange Server's role in processing routed TNEF-encoded e-mail, I have no idea. TNEF is only used to encode e-mail in Microsoft's proprietary "Rich Text" format, which is a heavily-extended RTF. Due to the information leakage and incompatibility of TNEF with standards-compliant e-mail readers, most servers and most users shouldn't have a need to send or receive RTF e-mail with attached TNEF formatting information. Stripping the relevant MIME type (I believe, application/x-ms-tnef) should be sufficient. It will reduce potentially-nasty RTF-encoded e-mail to standard plain text. - -- "Social Darwinism: Try to make something idiot-proof, nature will provide you with a better idiot." -- Michael Holstein -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) iD8DBQFDxErrfp4vUrVETTgRA0KsAJ9db/mSRDl7luRN8QzicoN9JpUlewCfbzPD uPUxmEluYbrlQGVVgxX3nTA= =GunB -----END PGP SIGNATURE----- _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- 2 critical vulns and the clock is ticking.. [Fwd: [EEYEB-2000801]] Gadi Evron (Jan 10)
- Re: 2 critical vulns and the clock is ticking.. [Fwd: [EEYEB-2000801]] Mike Owen (Jan 10)
- Re: 2 critical vulns and the clock is ticking.. [Fwd: [EEYEB-2000801]] Matthew Murphy (Jan 10)
- RE: 2 critical vulns and the clock is ticking..[Fwd: [EEYEB-2000801]] Richard M. Smith (Jan 10)
- Re: 2 critical vulns and the clock is ticking..[Fwd: [EEYEB-2000801]] Valdis . Kletnieks (Jan 10)
- RE: 2 critical vulns and the clock is ticking..[Fwd: [EEYEB-2000801]] Richard M. Smith (Jan 10)