Re: 'cross site scripting' CERT advisory and MS

[dmiller () WFDEVELOPMENT COM (Dustin Miller)]

First of all, why'd you post this as HTML?  :)

Secondly...  OE uses the Internet Explorer embedded ActiveX control in its m
essage view window.  There's nothing you can do about that.

Thirdly, an "HTML TO TEXT" converter is damn simple, and it would be TRIVIAL
for Microsoft to make a simple one that just tosses out HTML tags, converts
& to & and other HTML character entities to their respective ASCII chara
cters and displays what's left.  Simple.  Painless.  Very little system "per
formance hit".  Shame on them for writing an OS that CHOKES a computer's pro
cessor and disk subsystem every time it opens Microsoft PowerPoint, and yet
won't remove the IE control from OE upon request because it would be high "o
verhead" and would "seriously hinder performance."

How many people honestly think that some simple string processing will serio
usly hinder performance, especially when this processing could be written to
occur automatically as you are receiving messages, or only upon display?  Ba
h!

Dustin

-----Original Message-----
From: Bugtraq List [mailto:BUGTRAQ () SECURITYFOCUS COM]On Behalf Of Eric Lecht
Sent: Tuesday, February 08, 2000 7:39 AM
To: BUGTRAQ () SECURITYFOCUS COM
Subject: 'cross site scripting' CERT advisory and MS

Mark Slemko wrote:

> > > 2. Do not use a mail reader that forces you to display HTML messages.
Using something like Outlook Express is very dangerous, since it
means that you can be exploited if an email message arrives in your
inbox and is displayed.  If you do use something like Outlook
Express, be sure to configure it to disable scripting and make it
as restrictive as possible.  Unfortunately, in the case of Outlook
Express, this doesn't appear to be enough since I can't find any
setting that will stop things like IFRAMEs from automatically
loading, which are enough to make you vulnerable in many situations.
Hopefully I'm missing something.<<<

I wrote Microsoft a few days ago asking about shutting off HTML in Outlook E
xpress, and here's what they wrote back:

> > > > CASE_ID_NUM: SRZ000203000844
MESSAGE:
********************** The message for you follows ************************
Eric,

I am afraid that inbound functionality for turning off html code is not
possible in Internet Explorer as default.

There is no pure "html" to "text" converter or selection within the
application. It is unfortunate, I know, and I am sorry to have to deliver
this message to you.

I have however, passed your issue along to members of our development staff
for that feature to be included in future revisions. The very question you
ask is being considered at the most critical levels of our development
process.

The current conventional logic behind why we do not have a html to text
converter is the overhead that would be placed on the machine, browser and
email app that would seriously hinder performance.

I appreciate the your time and patience while I have researched your
question. I will be archiving this issue as unresolved. If you have any
questions, please contact me.

Thank you in advance,
harryb

Harry Bynum
North Carolina Desktop Premier Support Team
IE,IEAK,Win 9x/3.x!
Phone:704-XXX-XXXX
Email: hXXX () microsoft com

Powering Up the Desktop! <<<<

The gentleman who responded to my query did so promptly, and from what I gat
her from his wording (I am afraid that inbound functionality for turning off
html code is not possible in Internet Explorer as default.) I would hazard t
hat OE is inexorably tied to IE (ok, i'm not a programmer, just hazarding a
guess...) just like IE has deep hooks into Windows itself, hence the inabili
ty to _disable_ reading html in basic email. In fact I had limited my inquir
y to turning HTML off in OE.

FYI....

Eric Lecht
Network Analyst
State of Idaho
Dept. of Administration

"I do what I can, I work in the dark".