SV: Possible Microsoft security vulnerability attack.

Anders Andersson, IT andersan at LTKALMAR.SE
Thu Oct 3 15:15:58 IST 2002


> -----Ursprungligt meddelande-----
> Från: Julian Field [mailto:mailscanner at ECS.SOTON.AC.UK]
> Skickat: den 3 oktober 2002 15:31
> Till: MAILSCANNER at JISCMAIL.AC.UK
> Ämne: Re: Possible Microsoft security vulnerability attack.
> 
> 
> What would people like me to do about this?
> I really can't see any point have <OBJECT CODEBASE= tags in 
> HTML mail messages.
> But the <IFRAME> tags are obviously causing people problems.
> 
> I went for the simple solution of not allowing any iframe tags as that
> dispenses with the problem completely, and protects against 
> future iframe
> exploits. There are quite a few of these already, and I can't 
> see why there
> won't be any more.
> 
> Parsing out specific attributes from iframe tags is really 
> hard to do in a
> robust reliable way, which is also why I didn't bother. I see 
> little point
> in having a trap that the bad guys can get round once they 
> have seen the
> code. The commercial guys may think they can have security by 
> obscurity,
> but I don't.
> 
> As it stands at the moment, there is a partial solution in 
> V4, as you can
> specify addresses from which you will accept <iframe> tags, 
> and ban them
> from everywhere else.
> 
> Is that enough, or do I need to be doing something a lot cleverer?
I agree to 100%... there will be more exploits in the future
and why even chance that they will pass the scanner.
For me Im saticfied with an option to accept from certain domains.
Maybe its possible to add something in the future to accept <iframe>
to certain users..havent chekced v4 yet so it might already be there

/Anders

> 
> All thoughts and constructive comments appreciated.
> 
> Jules.
> --
> Julian Field                Teaching Systems Manager
> jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
> Tel. 023 8059 2817          University of Southampton
>                              Southampton SO17 1BJ
> 




More information about the MailScanner mailing list