RE: [fw-wiz] HTML Emails and Firewall Security
From: dave kleiman (dave_at_netmedic.net)
Date: 08/02/03
- Previous message: Paul Robertson: "Re: [fw-wiz] Fw: [Full-Disclosure] DCOM Exploit MS03-026 attack vectors"
- In reply to: Bill Royds: "Re: [fw-wiz] HTML Emails and Firewall Security"
- Next in thread: Victoria of Borg: "Re: [fw-wiz] HTML Emails and Firewall Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'Bill Royds'" <broyds@rogers.com>, "'Fabio Pietrosanti (naif)'" <fabio@pietrosanti.it>, <firewall-wizards@honor.icsalabs.com> Date: Sat, 2 Aug 2003 15:20:52 -0400
You could always utilize the NOHTML.DLL in any Outlook client (2000,2002)
etc.
_____________________
Dave Kleiman
dave@netmedic.net
www.netmedic.net
"High achievement always takes place in the framework of high expectation."
Jack Kinder
-----Original Message-----
From: firewall-wizards-admin@honor.icsalabs.com
[mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Bill Royds
Sent: Friday, August 01, 2003 23:37
To: Fabio Pietrosanti (naif); firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] HTML Emails and Firewall Security
Under the Outlook 2003 rules, that bugtraq example would not be a problem
because Javascript (nor an out of line image) is not allowed.
As you pointed out in BugTraq, even plan text messages containing
HTML/Javscript are executed at present.
Microsoft's old paradigm is certainly wrong. Perhaps their latest one is a
little better.
----- Original Message -----
From: "Fabio Pietrosanti (naif)" <fabio@pietrosanti.it>
To: <firewall-wizards@honor.icsalabs.com>
Sent: Friday, August 01, 2003 6:05 AM
Subject: Re: [fw-wiz] HTML Emails and Firewall Security
Unfortunatelly the Microsoft way of "securing" application often fails:
http://lists.insecure.org/lists/bugtraq/2003/Jul/0058.html
And they are not going to fix it.
On Wed, Jul 30, 2003 at 09:41:50PM -0400, Bill Royds wrote:
> The new Microsoft Outlook client has several levels of HTML filtering from
> text only to "html only with no images or script or other links" to html
> with no script but with embedded images to full blown HTML. The second
level
> (HTML formatting for text but no other HTML) is probably the best for most
> users. It allows some structure in a message (heading, italic, bold,
> tabular data) to help convey information in a more readable fashion than
> plain text, but limits the effects of scripts or web bugs.
-- Fabio Pietrosanti ( naif ) E-mail: fabio@pietrosanti.it - naif@sikurezza.org PGP Key available on my homepage: http://fabio.pietrosanti.it/ -- Security is a state of being, not a state of budget. rfp -- _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Paul Robertson: "Re: [fw-wiz] Fw: [Full-Disclosure] DCOM Exploit MS03-026 attack vectors"
- In reply to: Bill Royds: "Re: [fw-wiz] HTML Emails and Firewall Security"
- Next in thread: Victoria of Borg: "Re: [fw-wiz] HTML Emails and Firewall Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
