FW: [BT] NOT GOOD: Outlook Express 6 + Internet Explorer 6
joe at madewell.com
Wed Mar 31 20:34:55 PST 2004
Does anyone else find this troubling?
This details a method for delivering hazardous e-mail content in a
way that would not be trapped by the sanitizer.
It looks pretty slick to me. The recipient is presented with a
harmless looking message and is tricked into clicking on what looks
to be an innocent link.
As for defending against this, I think defanging <FORM> tags might be
appropriate. (IMHO, I can think of no good reason why I need to
receive an html form by e-mail anyway.) Consequently, I created the
attached patch against 1.142 which adds <FORM> tags to the list of
html tags that are defanged (presuming SECURITY_TRUST_HTML is
[demime 0.98e removed an attachment of type application/octet-stream which had a name of 1.142.patch]
More information about the esd-l