Re: Email marketing company gives out questionable security advice

From: stonewall (stonewall_at_cavtel.net)
Date: 07/04/03

  • Next message: Brent J. Nordquist: "Re: [Full-Disclosure] MacOSX - crash screensaver locked with password and get the desktop back" 
    To: "Richard M. Smith" <rms@computerbytesman.com>, "BUGTRAQ@SECURITYFOCUS. COM" <BUGTRAQ@SECURITYFOCUS.COM>
Date: Fri, 4 Jul 2003 15:05:23 -0400

    I am continually amazed at the number of web sites which are unusable when
    java and ActiveX are disabled. Generally, html geeks get paid to make cool
    web sites (and email) which use all the local/interactive "make your machine
    do things" features; most don't seem to be aware of (or care about) the
    security implications. Try blocking active content at your firewall and see
    how long it takes for clients to complain about not being able to use web
    sites (even medical practice / insurance company web sites), not being able
    to get emails/attachments, etc. Education efforts aside, this puts us in
    the position of having to field complaints about "the damn firewall". Does
    anyone else deal with this?

    - stonewall

    ----- Original Message -----
    From: "Richard M. Smith" <rms@computerbytesman.com>
    To: "BUGTRAQ@SECURITYFOCUS. COM" <BUGTRAQ@SECURITYFOCUS.COM>
    Sent: Wednesday, July 02, 2003 8:03 PM
    Subject: Email marketing company gives out questionable security advice

    > Hi,
    >
    > Last week, I received an unsolicited email message from Mobil Travel
    > Guide about their new online service. In the message, I was encouraged
    > to turn back on ActiveX and scripting in Outlook in order to view a
    > Flash movie embedded in the message. Needless to say, I thought this
    > was a terrible idea. Instead, I wrote the company who created the ad,
    > Digital Produce (http://www.digitalproduce.com), saying they were giving
    > out bad security advice and they should stop doing this sort of thing
    > in future mailings.
    >
    > I got a reply from the company this week basically saying that they
    > agree with my concern, but not my solution. Instead they decided to put
    > a little security warning on their "real media fix" page. This fixer
    > page can be found here on their Web site:
    >
    > http://www.digitalproduce.com/site_resources/pdfs/outlookfix/
    >
    > I think the warning message is pretty lame and misleading. Microsoft
    > released the Outlook Security Update a few years back because anti-virus
    > software wasn't stopping email worms. Turning back on ActiveX and
    > scripting only encourages the virus writers.
    >
    > (As an aside, the Xbox division of Microsoft is also a customer of
    > Digital Produce. I wonder if any Xbox ads gave out this same bad
    > security advice?)
    >
    > OTOH, it's not too hard too understand where Digital Produce is coming
    > from. According to a recent article in Internet News, only about 30% of
    > email users can view rich media email. This percentage is declining as
    > people upgrade Outlook and Outlook Express to newer versions with better
    > security features. It's pretty obvious that Flash-enabled email is a
    > dying market.
    >
    > Along these same lines, images in HTML email messages will be the next
    > thing to go. The upcoming versions of Outlook and the AOL 9.0 email
    > reader will no longer show images in HTML email messages by default.
    > Hotmail offers this same feature as an option today. This feature is
    > intend to make email more kid-friendly by blocking porno pictures in
    > incoming spam messages. It also stops spammers for snooping on people
    > using Web bugs.
    >
    > It will be interesting to see how email marketing companies and
    > spammers adapt to these technical changes in HTML email.
    >
    > Richard M. Smith
    > http://www.ComputerBytesMan.com
    >
    >

  • Next message: Brent J. Nordquist: "Re: [Full-Disclosure] MacOSX - crash screensaver locked with password and get the desktop back"

    Relevant Pages

    • Re: Is MSIE dead as a browser - if Microsoft does not patch it then it is as far as I am concerned!
      ... > other vendors and ActiveX from MS. ... so you can't kill active content in Local Computer Zone. ... > Most web sites use scripting, sometimes to navigate, again in response ... I was not aware however how sidespread HTML & Java had ...
      (microsoft.public.security.virus)
    • Re: PHP-Yes, HTML-No --- Why?
      ... People who know and people who care are two entirely different worlds. ... I doubt that a single person has ever been fired, not paid or told to change the URLs in he web design because they ended in .php. ... But once you have code great HTML, great CSS, great PHP, and you server is quick, smooth and working well, it doesn't make sense to just stop making your site better. ... Ergo there is no concession on presentation at all and our web sites are already "better". ...
      (comp.lang.php)
    • Re: How do I report a bug in Internet Explorer 6
      ... > the way I want to design web sites. ... > HTML editor for final assembly but I do use Frontpage for some HTML ... Ron Bogart ô¿ô¬ ...
      (microsoft.public.windows.inetexplorer.ie6.browser)
    • Re: Is MSIE dead as a browser - if Microsoft does not patch it then it is as far as I am concerned!
      ... data medium as it has programming capabilities) as tomorrow's "text". ... so you can't kill active content in Local Computer Zone. ... Most web sites use scripting, sometimes to navigate, again in response ... ActiveX control was marked safe when it shouldn't have been, ...
      (microsoft.public.security.virus)
    • Re: WYSIWYG text?
      ... FrontPage is a set of tools for working with web sites and HTML. ... to do with an obscure font, or outdated browsers. ...
      (microsoft.public.frontpage.client)
    Loading