[thelist] RE: Email confirmation: HTML or Plain Text?

Jason Handby jasonh at corestar.co.uk
Thu Nov 11 13:50:20 CST 2004

Hi Steven,

> >From today's US-CERT Cyber Security Alert:
> "By convincing a user to view a specially crafted HTML document
>    (e.g., a web page or an HTML email message), an attacker could
>    execute arbitrary code with the privileges of the user. The
>    attacker could also cause IE (or any program that hosts the
>    WebBrowser ActiveX control) to crash.

I did a bit of googling and eventually decided you must be referring to this


> US-CERT recommends you send Plain Text Emails to clients and not HTML.

They also say "Note that reading and sending email in plain text will not
necessarily prevent exploitation of this vulnerability."

I can see that, for security reasons, it would make sense for people to view
their incoming email in text format only. And I can see that, if enough
people did that, there would no longer be any point in sending out HTML
emails as hardly anyone would be able to read them. However, given that lots
of people *can* still receive HTML emails, I can't see why I shouldn't send
them. Given that any HTML email I send is not going to contain buffer
overflow exploits (because I'm not a hacker), why am I threatening the
security of other internet users by sending HTML emails?


More information about the thelist mailing list