Possible Microsoft security vulnerability attack.

Matt hciss at HCIWS.COM
Thu Oct 3 19:10:15 IST 2002


Question.  Why are <iframe> tags needed in email?  What the heck do they do
anyway?  If they are a significant security risk I want them dead!

Just my 2 cents.

Matt


> What would people like me to do about this?
> I really can't see any point have <OBJECT CODEBASE= tags in HTML mail
messages.
> But the <IFRAME> tags are obviously causing people problems.
>
> I went for the simple solution of not allowing any iframe tags as that
> dispenses with the problem completely, and protects against future iframe
> exploits. There are quite a few of these already, and I can't see why
there
> won't be any more.
>
> Parsing out specific attributes from iframe tags is really hard to do in a
> robust reliable way, which is also why I didn't bother. I see little point
> in having a trap that the bad guys can get round once they have seen the
> code. The commercial guys may think they can have security by obscurity,
> but I don't.
>
> As it stands at the moment, there is a partial solution in V4, as you can
> specify addresses from which you will accept <iframe> tags, and ban them
> from everywhere else.
>
> Is that enough, or do I need to be doing something a lot cleverer?
>
> All thoughts and constructive comments appreciated.
>
> Jules.



More information about the MailScanner mailing list