Re: 'cross site scripting' CERT advisory and MS

[dleblanc () MINDSPRING COM (David LeBlanc)]

After a bit of dinking in vi, I removed the HTML, AND got it properly
indented for response, so...

> Mark Slemko wrote:
>
> > > > 2. Do not use a mail reader that forces you to display HTML messages.
> Using something like Outlook Express is very dangerous, since it
> means that you can be exploited if an email message arrives in your
> inbox and is displayed.

This is overkill.  The problem is scripting, not HTML, which are really
seperate issues.

> If you do use something like Outlook
> Express, be sure to configure it to disable scripting and make it
> as restrictive as possible.

The way to do this is to open the security tab, choose to run messages in
the 'untrusted sites' zone, and then configure that zone to run no script
at all.  Russ Cooper has a nice write-up of all this at
http://www.ntbugtraq.com/default.asp?sid=1&pid=47&aid=56

> Unfortunately, in the case of Outlook
> Express, this doesn't appear to be enough since I can't find any
> setting that will stop things like IFRAMEs from automatically
> loading, which are enough to make you vulnerable in many situations.

I don't know if this can be done, but disabling scripting for e-mail
entirely should be enough.

> Hopefully I'm missing something.<<<

If I'm missing something, please let me know.

> I wrote Microsoft a few days ago asking about shutting off HTML in
> Outlook Express, and here's what they wrote back:

To the best of my understanding of this very complex problem, HTML without
script isn't going to get you.  Script will get you, and you can turn that
off.  When I do use outlook, I've been running it with scripting turned off
for quite some time and have noticed no loss of functionality, other than
when David Litchfield sends me mail to test one of his latest findings, it
doesn't work
8-)

> The gentleman who responded to my query did so promptly, and from what I
> gather from his wording (I am afraid that inbound functionality for
> turning off html code is not possible in Internet Explorer as default.)

I don't think you can, though you _can_ toggle between HTML, text, and rich
text, which would have saved me a few moments getting the HTML out of
_this_ message if I were using it now.

> I would hazard that OE is inexorably tied to IE (ok, i'm not a
> programmer, just hazarding a guess...) just like IE has deep hooks into
> Windows itself, hence the inability to _disable_ reading html in basic
> email. In fact I had limited my inquiry to turning HTML off in OE.

It uses IE as an HTML viewer, as do many applications.  However, if you'd
have asked how to turn off scripting, they should have been able to answer,
and I believe that's all you need to do to make your e-mail safe.

IMHO, the worst problem is with using the browser, since too many sites use
some form of scripting (like www.securityfocus.com), and you can't turn it
completely off without losing the ability to do a lot of things.

David LeBlanc
dleblanc () mindspring com