HTML mails and security (Was: RE: Should NTDEV *REJECT* postings - in HTML?)

Decision was made; I only want to clarify security issues. Below assumption
is incorrect, firewalls don’t protect against this form ot attack. Even
antiviruses won’t until updated which can be too late. This form of attack
is targeted against concrete mail reader and exploits concrete security
hole. For other mailers and firewalls and antiviruses it would seems and
normal HTML mail and they have no reason to ban it.

An example: from Alberto’s mail headers I can find the mailer he uses. I can
find a hole in it, write a special HTML mail and if lucky, Alberto opens it
and my special code would start automagically formating SoftICE sources to
HTML and send it to the list.

It isn’t so unreal, there really were holes in Outlook and OE which would
allow something like this. I’m too lazy to find descriptions now but if once
get tired with slow SoftICE support and decide to fix it myself, I know
Alberto likes HTML mails :wink:

Best regards,

Michal Vodicka
STMicroelectronics Design and Application s.r.o.
[michal.vodicka@st.com, http:://www.st.com]


From:
xxxxx@compuware.com[SMTP:xxxxx@compuware.com]
Reply To: xxxxx@lists.osr.com
Sent: Thursday, January 24, 2002 8:01 PM
To: xxxxx@lists.osr.com
Subject: [ntdev] RE: Should NTDEV *REJECT* postings in HTML?

However, beware of paranoia. And again, many of us don’t have this
problem:
I for example post from behind a corporate firewall. At home, I post from
behind my ISP’s firewall. And there’s no such thing as total safety
anyway.
Now the problem is, what do I want, it’s a tradeoff between safety and
freedom. Sounds familiar ?

Alberto.

-----Original Message-----
From: Everhart, Glenn (FUSA) [mailto:xxxxx@FirstUSA.com]
Sent: Thursday, January 24, 2002 1:47 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Should NTDEV *REJECT* postings in HTML?

In order to avoid HTML-borne virii, I have an automated app installed to
turn
HTML into text or RTF. It sometimes makes it a pain to read HTML messages.

Not everyone is willing to expose himself to the virus du jour. HTML does
not belong in email so long as any functionality beyond mere text
formatting
exists therein.

THOSE are the problems; refer to ntbugtraq, vuln-dev and similar groups
for
ample further discussion.

The whole world is NOT on HTML and some are finally realizing its dangers
as
currently implemented.

Drop it from the list. It adds nothing.


You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com