About | Buy Stuff | News | Products | Rants | Search | Security | Social
Home » Resources » Rants

IONs in an Uproar

Week of May 21, 2002

Microsoft have issued a patch - a patch that, typically, does not work. (So much for 'Trustworthy Computing'.) But the patch threatens that most sacred of hallowed grounds, the domain of the HTML email of the IONs (Idiots Of the Net). Herewith the skinny on this devasting tragedy.

Microsoft issued a critical update for Microsoft Internet Explorer 
(IE) last week in Microsoft Security Bulletin MS02-023 (15 May 2002 
Cumulative Patch for Internet Explorer) that eliminates a 
longstanding vulnerability in HTML-format messages--the ability of 
an <IFRAME> tag to use the Internet Sites security zone, rather than 
the Restricted Sites zone, to launch a file attached to a message or 
to open a Web page inside a message. This vulnerability has 
contributed to the spread of Klez and some other viruses that use an 
<IFRAME> tag to launch a file when the user previews or opens an 
HTML message. Depending on the attachment security in place on the 
user's machine, the attachment that the <IFRAME> tag launches might 
run automatically, thus setting up a situation in which the user 
might not know that a message has an attached file or that the file 
has already starting running.

After you apply the update, which is available for IE 6.0, IE 5.5
Service Pack 1 (SP1) and SP2, and IE 5.0 SP2, Web pages from sites
in the Restricted Sites zone will ignore <IFRAME> tags. Outlook 2002
and Outlook 2000 and Outlook 98 with the Outlook E-mail Security
Update all use the Restricted Sites zone for HTML messages.

If you haven't installed the Outlook E-mail Security Update, after
you download and install the IE update, you must manually set
Outlook to use the Restricted Sites zone if you want to get the
benefit of the <IFRAME> blocking. You can do so on the Security tab
of Outlook's Tools, Options dialog box. Forcing Outlook to operate
in the Restricted Sites zone also eliminates other potential
vulnerabilities related to script in HTML messages.

Strangely enough, this IE update has some surprising consequences
for Outlook 2002 and Outlook 2000 users. The appearance of the
Organize pane in both versions and the Find pane in Outlook 2000
will no longer show white text links in the Tahoma font on a gray
background. Instead, the links are the default underlined blue,
which makes them difficult to see on the dark background, and the
font is whatever font you have set as your default in IE.

The change in behavior is because of another fix in the IE update
(the update patches six new vulnerabilities as well as all
previously acknowledged problems). As GreyMagic Software reported,
one vulnerability related to Cascading Style Sheets (CSS) makes it
possible to read data from local files on the user's machine.
Microsoft appears to have fixed this problem by making it impossible
for an HTML page to load a style sheet from a  tag that points
to a locally stored ..css file, unless the user has placed in the
Trusted Sites zone the domain hosting the Web page.

What does this fix have to do with Outlook? The content of the Find
and Organize panes is stored in a DLL that's installed with Outlook.
Also embedded in that resource DLL is the style sheet that changes
the font settings for those panes. Because the style sheet is in a
local file, the Find and Organize panes won't load it after you
install the new IE update. To fix the problem, Microsoft will
probably need to update the DLL to use inline styles instead of a
style sheet.

Yes, this new CSS limitation is annoying (and will affect other
applications that use .css files on local systems or in resource
.dll files), but it's no reason not to install the IE patch. The
benefits of greater security for HTML-format messages far outweigh
the aggravation of this display issue.
About | Buy | News | Products | Rants | Search | Security
Copyright © Radsoft. All rights reserved.