[thelist] RE: Email confirmation: HTML or Plain Text?
Hassan Schroeder
hassan at webtuitive.com
Thu Nov 11 14:38:55 CST 2004
ANDREA STREIGHT wrote:
> "By convincing a user to view a specially crafted HTML document
> (e.g., a web page or an HTML email message), an attacker could
> execute arbitrary code with the privileges of the user. The
> attacker could also cause IE (or any program that hosts the
> WebBrowser ActiveX control) to crash.
>
> Reports indicate that this vulnerability is being exploited by
> malicious code propagated via email. When a user clicks on a URL in
> a malicious email message, IE opens and displays an HTML document
> that exploits the vulnerability.
>
> I'm convinced.
Me, too -- I'm convinced anyone still using Windows/IE/Outlook is
pretty reckless :-)
You might note that a *plain text* email with a URL in the format
<http://example.com/> will be *made clickable* by Outlook, and if
clicked, *will launch* your default browser.
If that's IE (or other ActiveX-enabled browser), well, you can at
least say "Yo, I didn't get cracked by accepting HTML email!"
And that'll be a great consolation, I'm sure :-)
--
Hassan Schroeder ----------------------------- hassan at webtuitive.com
Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com
dream. code.
More information about the thelist
mailing list