funsec mailing list archives

Re: Ilfak's WMF patch v. Microsoft's solution

From: Matthew Murphy <mattmurphy () kc rr com>
Date: Mon, 02 Jan 2006 15:12:13 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Richard M. Smith wrote:

I believe that it is possible that all versions of Outlook and Outlook
Express will render an IFRAME in HTML email messages if the IFRAME uses the
CID: protocol to reference an attached file.  IFRAMEs will work in this
situation  regardless of security settings.  I know for example that Outlook
2003 never blocks images loaded with the CID: protocol in HTML email
messages.


IFRAMES haven't worked in either product for years.  MS02-023 blocked
the Restricted Sites zone from rendering IFRAMEs.  That change has been
forward-ported into every further IE release.

Outlook Express 6.0 defaults to rendering e-mail in the restricted sites
zone, as do Outlook 2002 and 2003.  Outlook 2000 with the Outlook E-mail
Security Update does the same.

Therefore, IFRAMEs are no longer a threat to users of those products.

If my theory is correct, then it should be possible to build a worm that
auto-executes simply by reading an HTML email message.  The worm also would
not require an external Web site to operate.


Incorrect.

I asked Microsoft about the IFRAME/CID: issue on Friday.  They haven't said
yet if this is a problem or not.  I don't have any good way to test it
myself.


Perhaps the reason they haven't gotten back to you is because that type
of function hasn't been an issue for about three years.

- --
"Social Darwinism: Try to make something idiot-proof,
nature will provide you with a better idiot."

                                -- Michael Holstein

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDuZcsfp4vUrVETTgRA3K4AJ9/ms1BGWm7hwXDeDFvhICRj0SySwCgj88i
y3INUnL/zgWszvty798m8wM=
=p6dS
-----END PGP SIGNATURE-----

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

Re: Ilfak's WMF patch v. Microsoft's solution, (continued)
- - - Re: Ilfak's WMF patch v. Microsoft's solution Matthew Murphy (Jan 01)
    - RE: Ilfak's WMF patch v. Microsoft's solution Richard M. Smith (Jan 02)
    - RE: Ilfak's WMF patch v. Microsoft's solution Hank Nussbacher (Jan 02)
    - RE: Ilfak's WMF patch v. Microsoft's solution Richard M. Smith (Jan 02)
    - Re: Ilfak's WMF patch v. Microsoft's solution Alex Shipp (elist) (Jan 03)
    - RE: Ilfak's WMF patch v. Microsoft's solution Larry Seltzer (Jan 02)
    - RE: Ilfak's WMF patch v. Microsoft's solution Richard M. Smith (Jan 02)
    - RE: Ilfak's WMF patch v. Microsoft's solution Larry Seltzer (Jan 02)
    - Re: Ilfak's WMF patch v. Microsoft's solution Aviram Jenik (Jan 02)
    - RE: Ilfak's WMF patch v. Microsoft's solution Richard M. Smith (Jan 02)
    - Re: Ilfak's WMF patch v. Microsoft's solution Matthew Murphy (Jan 02)
    - RE: Ilfak's WMF patch v. Microsoft's solution Richard M. Smith (Jan 02)
    - Re: Ilfak's WMF patch v. Microsoft's solution Matthew Murphy (Jan 02)
    - potential worm exploiting WMF [was: Ilfak's WMF patch v. Microsoft's solution] Gadi Evron (Jan 03)
    - Re: potential worm exploiting WMF [was: Ilfak's WMF patch v. Microsoft's solution] Matthew Murphy (Jan 03)
- RE: Re[4]: Ilfak's WMF patch Todd Towles (Jan 03)