mailing list archives
Re: 'cross site scripting' CERT advisory and MS
From: dleblanc () MINDSPRING COM (David LeBlanc)
Date: Wed, 16 Feb 2000 09:39:56 -0800
I wanted to reply to this, and make a clarification -
At 08:57 PM 2/14/00 -0500, Rishi Lee Khan wrote:
There is an easy way to open a web page using and email client using HTML
parsing ... simply put in the <head> tag <meta http-equiv="REFRESH"
Tried it, and it doesn't seem to work. Created an HTML mail with this
embedded, opened it in Outlook, and no refresh. Did a Save As to dump it
out to file, opened it with IE, got the refresh. I'm not saying it can't
be made to work, but I can't do it, and it seems like a decent test, since
I am getting it to refresh in IE.
Marc Slemko wrote:
So while disabling all the "features" that you can when reading HTML mail
is definitely recommended and protects you against a lot of attacks, it is
not a complete solution. I seriously doubt that all the ways of
exploiting this issue without using scripting languages have been
Now for the clarification:
I am NOT trying to solve the general problem of all the bad things that
either can happen, or are theoretically possible once you plug in the
network cable. I am trying to solve the specific problem of cross-site
scripting attacks being delivered by e-mail.
What I recommend specifically for using Outlook (probably also applies to
other mail readers using IE as a HTML viewer) is:
1) Set it to run in the Restricted Sites zone
2) Edit the Restricted Sites zone into what I call maximum paranoia mode -
turn EVERYTHING off. IIRC, cookies are off to begin with, but this gets
them turned off for sure.
Am I now saying that if you do this, you're safe? Absolutely not. You're
never safe. A meteorite could come through the roof, or you could get hit
with an evil bug that isn't publicly known yet. Anything can happen. No
one expects the Spanish Inquisition! I _am_ saying that there are a whole
bunch of things that I _know_ can get you that now won't get you.
Am I saying that HTML mail is a great idea, and that applying these
settings makes it all safe and cozy? To quote Marc, "NO, NO, NO!!!" IMHO,
it isn't a great idea, but lots of people use it, and I can't turn it off
in the mail reader I use at work, so I think these settings make it a much
more reasonable risk.
Speaking of which, there are still 3 things that I know of to worry about:
1) Embedded URLs in HTML mail - these will invoke the browser IF you click
on them, and the effect will depend on a lot of other issues. You're also
now most likely running in the Internet zone, so different settings apply.
Personally, I take a look at them before clicking on them, or just type
2) HTML attachments - these aren't governed by the mail reader, but by the
browser. Make the browser settings you think are appropriate.
3) Things I don't know about. No telling what sort of nastiness is lurking
out there. Definately worry about this one. I don't think security
problems on the Internet are a passing phase - we're all in for a wild ride.
dleblanc () mindspring com
- Re: 'cross site scripting' CERT advisory and MS David LeBlanc (Feb 16)