Possible Microsoft security vulnerability attack.
Julian Field
mailscanner at ecs.soton.ac.uk
Thu Oct 3 14:30:40 IST 2002
What would people like me to do about this?
I really can't see any point have <OBJECT CODEBASE= tags in HTML mail messages.
But the <IFRAME> tags are obviously causing people problems.
I went for the simple solution of not allowing any iframe tags as that
dispenses with the problem completely, and protects against future iframe
exploits. There are quite a few of these already, and I can't see why there
won't be any more.
Parsing out specific attributes from iframe tags is really hard to do in a
robust reliable way, which is also why I didn't bother. I see little point
in having a trap that the bad guys can get round once they have seen the
code. The commercial guys may think they can have security by obscurity,
but I don't.
As it stands at the moment, there is a partial solution in V4, as you can
specify addresses from which you will accept <iframe> tags, and ban them
from everywhere else.
Is that enough, or do I need to be doing something a lot cleverer?
All thoughts and constructive comments appreciated.
Jules.
--
Julian Field Teaching Systems Manager
jkf at ecs.soton.ac.uk Dept. of Electronics & Computer Science
Tel. 023 8059 2817 University of Southampton
Southampton SO17 1BJ
More information about the MailScanner
mailing list