[Esa-l] Yet ANOTHER Microsoft Active Scripting hole

Brett Glass brett at lariat.org
Fri Apr 20 08:18:05 PDT 2001

According to Georgi Guninski, users of Outlook Express who have turned 
off Active Scripting are STILL subject to exploitation by malicious 
scripts that employ XML scripting. See


for an example. It looks as if attachments with .eml, .xsl, and .xml 
extensions should be mangled, defanged, or even poisoned.... IFRAME tags 
are already disabled by John's santizier if they appear in the body of 
the message, but not if they're in .eml files.


More information about the esd-l mailing list