[Esa-l] TNEF encoding a "big gaping hole?" :)

Bjarni Runar Einarsson bre at netverjar.is
Sun Nov 5 15:30:36 PST 2000


I just wanted to post a "heads up", for those of you who aren't paranoid
yet about those winmail.dat files.  I apologize if this is old news or
already handled by the sanitizer...

Anyway, according to Microsoft's web site winmail.dat files or
application/ms-tnef files can contain all sorts of evil stuff, including
complete attachments.  So I'm advising people to put winmail.dat on their
blacklists - and if John agrees and hasn't already, he should consider
mangling the MIME type as well, since it may suffice even without the file

P.S. I'm writing this from memory, and the MIME type may not be
"application/ms-tnef".  Go check in the Microsoft knowledge base what to
block before blocking anything.

Bjarni R. Einarsson                           PGP: 02764305, B7A3AB89
 bre at netverjar.is              -><-             http://bre.klaki.net/

Netverjar gegn ruslpósti: http://www.netverjar.is/baratta/ruslpostur/

More information about the esd-l mailing list