Bugtraq mailing list archives

Re: Microsoft Security Bulletin MS01-055

From: "Clover Andrew" <aclover () 1value com>
Date: Mon, 12 Nov 2001 16:14:53 +0100

Microsoft Product Security <secnotif () MICROSOFT COM> wrote:

Mitigating Factors: [...]

Users who have set Outlook Express to use the "Restricted
Sites" Zone are not affected by the HTML mail exploit of this
vulnerability


Sorry, but this is not true.

Whilst pages in the Restricted Sites zone are barred from using active
scripting, there are other ways of redirecting the user to a malicious
about: URL. Two I can think of straight away that require no user
intervention are:

  <meta http-equiv="refresh" content="1;url=about:...">
  <iframe src="about:...">

both work on Outlook 2000 with mail content in the Restricted Sites
zone. Since I stated exactly this whilst discussing the previous
vulnerability with secure@microsoft, I'm disappointed to see this
argument wheeled out again.

-- 
Andrew Clover
Technical Consultant
1VALUE.com AG

Current thread:

Microsoft Security Bulletin MS01-055 Microsoft Product Security (Nov 08)
- Re: Microsoft Security Bulletin MS01-055 CDE Francis (Nov 09)
- <Possible follow-ups>
- Re: Microsoft Security Bulletin MS01-055 Tobias DiPasquale (Nov 12)
- Re: Microsoft Security Bulletin MS01-055 Clover Andrew (Nov 12)