RE: Stopping information leakage

["James C. Slora, Jr." <Jim.Slora () phra com>]

Jerry Shenk wrote Tuesday, May 13, 2003 6:42 PM

> That's not malware of any hidden anything....apparently your e-mail app is
> programmed to process html links.  The original e-mail message included the
> link for this web site.  It is quite interesting that a simple text link
> like that would cause a connection.  Chalk up another reason 
> not to use Outlook!

I agree that it is not malware. The IMG is performing a function very similar to a web bug, but since it uses a file: 
reference it can cause information leakage beyond that of a normal web bug. I agree with Vernon Stark's original 
analysis.

The mail client was not prefetching or processing a link, it was rendering an image with an external source. Processing 
the IMG tag - even when it references external resources - is a common function of rendering HTML email and is intended 
to cause a connection (which is why web bugs work). 

The file: behavior is yet another good reason not to render HTML in email. I don't know if Outlook is any better or 
worse than another HTML-aware package in this one specific regard. I guess file: sources should probably be discarded 
even when HTML is being rendered, but it is more important to make sure that SMB ports are blocked at the perimeter.

I'm curious whether the file: reference will cause the IMG call to bypass web bug filtering packages. Anyone able to 
test this?

----------------------------------------------------------------------------
*** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies
that are enforced to protect WLANs from known vulnerabilities and threats.
Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.

To get your FREE white paper visit us at:
http://www.securityfocus.com/AirDefense-incidents
----------------------------------------------------------------------------