Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IE5 allows executing programs

From: dleblanc () MINDSPRING COM (David LeBlanc)
Date: Fri, 3 Sep 1999 09:06:16 -0700

At 11:19 AM 9/3/99 +1000, Brad Griffin wrote:


" I use Eudora Pro and have IE 5 as the default mail viewer (as is the
default Install) and you crashed Eudora (NT not logged in as
Administrator). I had to disable IE 5 as the default viewer to see the
mail..."
I assume this would have been caused by the mail reader attempting to
execute all four fragments of code.


There was an issue a while back where you could send people using Eudora
javascript in their e-mail.  I think your assumption is valid. I don't know
if Eudora 4.x allows people to set the security zone that IE uses (I hope
it does).

This is why I _strongly_ suggest that if you're using any type of HTML
enabled e-mail, set it up to run under the most paranoid settings possible.
 Most normal mail uses pretty standard HTML, with no Java or anything else,
so you're not really losing any functionality you'll actually use.

Not only will it save you from this attack, but there are lots of other
nasty things that no longer work.  Even though you still want to go get the
patches, this measure keeps you out of trouble as a blanket measure.

I'd bet that if your friends lock down their viewing settings, they can see
the mail just fine.

David LeBlanc
dleblanc () mindspring com
Previous By Date Next
Previous By Thread Next

Current thread: