RE: 2 critical vulns and the clock isticking..[Fwd: [EEYEB-2000801]]

["Greg Wroblewski" <Greg.Wroblewski () microsoft com>]

For Outlook I'm sure that the answer to the second question is 'no'. For
Outlook Express I'm almost sure.

Outlook 2003 accepts valid combinations of the following MIME content
types:

Primary
--------
text
multipart
message
image
audio
video
application

Secondary
----------
plain
html
enriched
ms-rtf
mixed
parallel
digest
related
alternative
rfc822
partial
external-body
octet-stream
postscript
gif
jpeg
basic
mpeg
ms-tnef
msword
wav
pkcs7-mime
pkcs7-signature
x-pkcs7-mime
x-pkcs7-signature
signed
mac-binhex40
x-vcard

Greg
------
This posting is provided as is and confers no rights.



-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org]
On Behalf Of Richard M. Smith
Sent: Tuesday, January 10, 2006 7:11 PM
To: funsec () linuxbox org
Subject: RE: [funsec] 2 critical vulns and the clock isticking..[Fwd:
[EEYEB-2000801]]

Thanks for the background.  Is there anyway to find out all the flavors
of
MIME types that Outlook and Outlook Express will accept as email
messages?
Can everything but plain text and HTML then be turned off in Outlook and
Outlook Express?

Richard 

-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org]
On
Behalf Of Matthew Murphy
Sent: Tuesday, January 10, 2006 7:02 PM
To: funsec () linuxbox org
Subject: Re: [funsec] 2 critical vulns and the clock is ticking..[Fwd:
[EEYEB-2000801]]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Gadi Evron wrote:
> OK, so we have an advisory for this. Fun.
>
> Any idea about the NGSsoftware one?
>
>     Gadi.

It appears that NGSSoftware's report is related to the TNEF
functionality
that supports embedding COM/OLE/ActiveX objects into RTF e-mail.  The MS
bulletin states that TNEF files can contain "malicious OLE objects"
which I
take to mean you can embed items that, when viewing on them is
triggered,
execute code that may not be safe for a mail-reading environment.

Exactly what that has to do with Exchange Server's role in processing
routed
TNEF-encoded e-mail, I have no idea.

TNEF is only used to encode e-mail in Microsoft's proprietary "Rich
Text"
format, which is a heavily-extended RTF.  Due to the information leakage
and
incompatibility of TNEF with standards-compliant e-mail readers, most
servers and most users shouldn't have a need to send or receive RTF
e-mail
with attached TNEF formatting information.

Stripping the relevant MIME type (I believe, application/x-ms-tnef)
should
be sufficient.  It will reduce potentially-nasty RTF-encoded e-mail to
standard plain text.

- --
"Social Darwinism: Try to make something idiot-proof, nature will
provide
you with a better idiot."

                                -- Michael Holstein

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)

iD8DBQFDxErrfp4vUrVETTgRA0KsAJ9db/mSRDl7luRN8QzicoN9JpUlewCfbzPD
uPUxmEluYbrlQGVVgxX3nTA=
=GunB
-----END PGP SIGNATURE-----
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.