[thelist] RE: Email confirmation: HTML or Plain Text?

Hassan Schroeder hassan at webtuitive.com
Thu Nov 11 14:38:55 CST 2004


> "By convincing a user to view a specially crafted HTML document
>    (e.g., a web page or an HTML email message), an attacker could
>    execute arbitrary code with the privileges of the user. The
>    attacker could also cause IE (or any program that hosts the
>    WebBrowser ActiveX control) to crash.
>    Reports indicate that this vulnerability is being exploited by
>    malicious code propagated via email. When a user clicks on a URL in
>    a malicious email message, IE opens and displays an HTML document
>    that exploits the vulnerability.
> I'm convinced.

Me, too -- I'm convinced anyone still using Windows/IE/Outlook is
pretty reckless :-)

You might note that a *plain text* email with a URL in the format
<http://example.com/> will be *made clickable* by Outlook, and if
clicked, *will launch* your default browser.

If that's IE (or other ActiveX-enabled browser), well, you can at
least say "Yo, I didn't get cracked by accepting HTML email!"

And that'll be a great consolation, I'm sure :-)

Hassan Schroeder ----------------------------- hassan at webtuitive.com
Webtuitive Design ===  (+1) 408-938-0567   === http://webtuitive.com

                           dream.  code.

More information about the thelist mailing list