Vulnerability Development mailing list archives
Re: Outlook/HTML "proggie"
From: spepper () WLU CA (Shelagh Pepper)
Date: Fri, 2 Jun 2000 09:45:09 -0400
My point is that a lot of users (here at least) always click YES. In addition, a number of users, tired of getting the warning messages, change their security settings to avoid the warning messages, in which case it IS transparent to the user. For example, my script ran on a Help Desk technician's PC with no warning messages at all! I do agree that for a lot (the majority?) of users, you might as well have a vbs script attached. We were hit pretty hard by the IxxxxYOU (key word not spelled out to avoid all the postmaster mail I got yesterday) script, and only a few days later users happily let my script run, so I don't believe the warning messages provide much security, at least not here. BTW, methodman's script is not effective if you have installed Microsoft's patch for the "SCR" vulnerability , originally posted: August 31, 1999 see http://www.microsoft.com/technet/security/bulletin/ms99-032.asp Shelagh At 11:07 AM 6/1/00 -0400, Maxime Rousseau wrote:
I have tested this a little bit here and I have not been able to use the FSO within an HTML message, unless the user explicitly clicks YES at the prompt for unsafe activex or has his security set to allow unsafe activex in html emails. Thats not so by default and if your 'CAN' involves the user clicking the YES box, then its not all that great, you might as well have a vbscript file attatched. My point was (and still is) you cant use a FSO in an html eMail in a transparent-to-user manner, sorry if i was unclear.
Shelagh Pepper (519) 884-0710 x3939 Multimedia Coordinator (519) 884-1970 x3939 Computing and Communication Services (519) 884-1279 FAX Wilfrid Laurier University spepper () wlu ca Waterloo, Ontario, N2L 3C5 webmaster () wlu ca
Current thread:
- Re: Outlook/HTML "proggie" Shelagh Pepper (Jun 01)
- <Possible follow-ups>
- Re: Outlook/HTML "proggie" Maxime Rousseau (Jun 01)
- Re: Outlook/HTML "proggie" Shelagh Pepper (Jun 02)
- Re: Outlook/HTML "proggie" methodman (Jun 01)
- Possible problem with NT Domains Leigh Watson (Jun 02)
- Re: Outlook/HTML "proggie" Eric Chien (Jun 02)
- Re: Outlook/HTML "proggie" James Turner (Jun 02)
- MSProxy Server 2 Logic Bug (Jun 02)
- Re: Outlook/HTML "proggie" Walter Williams (Jun 02)
- AW: Outlook/HTML "proggie" Joerg Weber (Jun 02)
- Re: Outlook/HTML "proggie" Maxime Rousseau (Jun 02)
- Re: Outlook/HTML "proggie" Dan Schrader (Jun 05)