Possible Microsoft security vulnerability attack.

[Julian Field]

What I have implemented as a possible solution to this is an option
         Log IFrame Tags
which will just syslog the sender of any message containing an <IFrame>
tag. If you allow <IFrame> tags for a couple of weeks, and log them for
that time, you will be able to see the list of addresses from which you
need to allow them. Also you'll get warned of any messages you are stopping
once you ban them, before your users get a chance to complain.

Hopefully this will be a simple solution that will keep most people happy
most of the time :-)

At 19:10 03/10/2002, you wrote:
> > What would people like me to do about this?
> > I really can't see any point have <OBJECT CODEBASE= tags in HTML mail
>messages.
> > But the <IFRAME> tags are obviously causing people problems.
> >
> > I went for the simple solution of not allowing any iframe tags as that
> > dispenses with the problem completely, and protects against future iframe
> > exploits. There are quite a few of these already, and I can't see why
>there
> > won't be any more.
> >
> > Parsing out specific attributes from iframe tags is really hard to do in a
> > robust reliable way, which is also why I didn't bother. I see little point
> > in having a trap that the bad guys can get round once they have seen the
> > code. The commercial guys may think they can have security by obscurity,
> > but I don't.
> >
> > As it stands at the moment, there is a partial solution in V4, as you can
> > specify addresses from which you will accept <iframe> tags, and ban them
> > from everywhere else.
> >
> > Is that enough, or do I need to be doing something a lot cleverer?
> >
> > All thoughts and constructive comments appreciated.
> >
> > Jules.

--
Julian Field                Teaching Systems Manager
jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
Tel. 023 8059 2817          University of Southampton
                             Southampton SO17 1BJ