About | Buy Stuff | News | Products | Rants | Search | Security
Home » Resources » Rants

Happy Anniversary

Week of March 26, 2002
May marks the two year anniversary of ILOVEYOU.


1. ==== COMMENTARY ====



As we approach the 2-year anniversary of the VBS.LoveLetter virus
outbreak, which catapulted Outlook into the headlines, security
problems continue to arise. Last week, Internet security and privacy
expert Richard M. Smith posted a note to the Windows NTBugtraq mailing
list (see the URL below) that cited four problems with Outlook 2002--
two security problems, one privacy problem, and one case of mixed
messages from Microsoft--that Smith says probably affect earlier
versions of Outlook as well.

According to Smith, the most significant security problem is that
IFRAME tags in HTML messages can run files. IFRAME is an HTML element
that Microsoft Internet Explorer (IE) uses to display a Web page or
another document within a Web page or a mail message. If Windows
considers an IFRAME source file 'safe,' the OS automatically launches
the file when you view a Web page or mail message. But with bug hunters
discovering a steady stream of ways in which supposedly safe files can
execute harmful content (see the news item below), Smith recommends
that Microsoft block all IFRAME content in HTML messages except HTML,
image, and text files.

Another security problem Smith mentions is that although Outlook blocks
JavaScript and VBScript in HTML messages, the application doesn't block
the code in hyperlinks that use 'javascript:' instead of 'http: '.
Because Outlook supports URLs of up to about 2000 characters--long
enough to let malicious users exploit some known IE security holes--
Smith recommends that you block 'javascript:' and 'about:' URLs in mail
messages. This problem is less severe than the IFRAME problem because
the JavaScript code doesn't run automatically--you must click the link
before it will run. However, a malicious user can easily spoof a link
in a mail message. Outlook 2002 doesn't give you a status bar that lets
you view a link's target, as IE does, so the only way to confirm that a
link points to a particular Web page is to read the entire message
source. How many of you do that before you click a link in an HTML

Smith's third complaint about Outlook 2002 is a privacy problem that
might return both a cookie and your email address to a Web site. The
site's administrators could then match the address with the previously
anonymous data associated with that cookie. You're at risk for this
privacy flaw only if you already have a cookie for the Web site and you
receive a mail message constructed individually for you with an image
whose source URL sends your address back to the Web site.

Finally, Smith thinks that the Outlook and IE teams should agree on the
safest way to send Internet links by email. I agree. IE 6.0 insists on
inserting a .url file in messages you create when you choose File,
Send, Link by E-mail from your browser. However, if you've installed
the Email Security Update, Outlook blocks those files. A text link,
rather than a file attachment, would be safe and accessible for
everyone. Let's hope that Microsoft soon can fix this feature in IE and
also make IFRAME safer to use in HTML mail messages.

Richard Smith's post to the NTBugtraq Mailing List:

'The Cookie Leak Security Hole in HTML Email messages'

Until next time,
Sue Mosher, olupdate@slipstick.com


2. ==== NEWS & VIEWS ====

   According to Internet security and privacy consultant Richard M. 
Smith, a Windows Media Player (WMP) skin file (.wms) can run a script 
that can force a user's browser to navigate to a potentially harmful 
Web page. If an HTML message uses an IFRAME element to launch such a 
..wms file, the Web page would open when the user previews or opens the 
message. Smith recommends that Microsoft consider all WMP files 
potentially unsafe because of their ability to run script code. For 
more information, see the following Web site:
About | Buy | News | Products | Rants | Search | Security
Copyright © Radsoft. All rights reserved.