Firewall Wizards mailing list archives
RE: HTML Emails and Firewall Security
From: "dave kleiman" <dave () netmedic net>
Date: Sat, 2 Aug 2003 15:20:52 -0400
You could always utilize the NOHTML.DLL in any Outlook client (2000,2002) etc. _____________________ Dave Kleiman dave () netmedic net www.netmedic.net "High achievement always takes place in the framework of high expectation." Jack Kinder -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Bill Royds Sent: Friday, August 01, 2003 23:37 To: Fabio Pietrosanti (naif); firewall-wizards () honor icsalabs com Subject: Re: [fw-wiz] HTML Emails and Firewall Security Under the Outlook 2003 rules, that bugtraq example would not be a problem because Javascript (nor an out of line image) is not allowed. As you pointed out in BugTraq, even plan text messages containing HTML/Javscript are executed at present. Microsoft's old paradigm is certainly wrong. Perhaps their latest one is a little better. ----- Original Message ----- From: "Fabio Pietrosanti (naif)" <fabio () pietrosanti it> To: <firewall-wizards () honor icsalabs com> Sent: Friday, August 01, 2003 6:05 AM Subject: Re: [fw-wiz] HTML Emails and Firewall Security Unfortunatelly the Microsoft way of "securing" application often fails: http://lists.insecure.org/lists/bugtraq/2003/Jul/0058.html And they are not going to fix it. On Wed, Jul 30, 2003 at 09:41:50PM -0400, Bill Royds wrote:
The new Microsoft Outlook client has several levels of HTML filtering from text only to "html only with no images or script or other links" to html with no script but with embedded images to full blown HTML. The second
level
(HTML formatting for text but no other HTML) is probably the best for most users. It allows some structure in a message (heading, italic, bold, tabular data) to help convey information in a more readable fashion than plain text, but limits the effects of scripts or web bugs.
-- Fabio Pietrosanti ( naif ) E-mail: fabio () pietrosanti it - naif () sikurezza org PGP Key available on my homepage: http://fabio.pietrosanti.it/ -- Security is a state of being, not a state of budget. rfp -- _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: HTML Emails and Firewall Security Fabio Pietrosanti (naif) (Aug 01)
- Re: HTML Emails and Firewall Security Bill Royds (Aug 02)
- RE: HTML Emails and Firewall Security dave kleiman (Aug 03)
- <Possible follow-ups>
- Re: HTML Emails and Firewall Security Victoria of Borg (Aug 07)
- Re: HTML Emails and Firewall Security Bill Royds (Aug 02)