Re: [Fwd: Re: Cross-Site Request Forgeries (Re: The Dangers ofAllowing Users to Post Images)]

[Mark Tinberg <mtinberg () securepipe com>]

Lincoln Yeoh wrote:
> And if Microsoft Word becomes very intertwined with IE (word uses IE to
> fetch stuff) then word documents with image/object links will also be an
> issue. Mix well and add a few macros to taste ;).

While MS is the big wide target, it isn't just them that need to worry.

1)  Many other pieces of software, including mail clients, use the
mshtml.dll library and can inherit any security bugs.  I seem to fuzzily
remember Eudora mail and Novell GroupWise client allowing JavaScript
popups and probably being vulnerable to a whole host of
vulnerabilities.  Luckily most vulnerabilities are targeted at Outlook
and OE but could be recoded to use other email clients.

2)  Other environments that provide tight integration of components (I'm
thinking of KDE/Konqueror since I am a user of it) may also be
vulnerable to these issues.  I don't really know how other
environments/object models deal with these issues, it would be nice to
hear from the various development teams/companies and how they have
dealt with these issues.

-- 
Mark Tinberg <MTinberg () securepipe com>
Network Security Engineer
SecurePipe, Inc. -- Managed Network Security Services
Remember:  Wherever you go, there you are!