Possible Microsoft security vulnerability attack.
Julian Field
mailscanner at ecs.soton.ac.uk
Fri Oct 4 00:06:05 IST 2002
What I have implemented as a possible solution to this is an option
Log IFrame Tags
which will just syslog the sender of any message containing an <IFrame>
tag. If you allow <IFrame> tags for a couple of weeks, and log them for
that time, you will be able to see the list of addresses from which you
need to allow them. Also you'll get warned of any messages you are stopping
once you ban them, before your users get a chance to complain.
Hopefully this will be a simple solution that will keep most people happy
most of the time :-)
At 19:10 03/10/2002, you wrote:
> > What would people like me to do about this?
> > I really can't see any point have <OBJECT CODEBASE= tags in HTML mail
>messages.
> > But the <IFRAME> tags are obviously causing people problems.
> >
> > I went for the simple solution of not allowing any iframe tags as that
> > dispenses with the problem completely, and protects against future iframe
> > exploits. There are quite a few of these already, and I can't see why
>there
> > won't be any more.
> >
> > Parsing out specific attributes from iframe tags is really hard to do in a
> > robust reliable way, which is also why I didn't bother. I see little point
> > in having a trap that the bad guys can get round once they have seen the
> > code. The commercial guys may think they can have security by obscurity,
> > but I don't.
> >
> > As it stands at the moment, there is a partial solution in V4, as you can
> > specify addresses from which you will accept <iframe> tags, and ban them
> > from everywhere else.
> >
> > Is that enough, or do I need to be doing something a lot cleverer?
> >
> > All thoughts and constructive comments appreciated.
> >
> > Jules.
--
Julian Field Teaching Systems Manager
jkf at ecs.soton.ac.uk Dept. of Electronics & Computer Science
Tel. 023 8059 2817 University of Southampton
Southampton SO17 1BJ
More information about the MailScanner
mailing list