funsec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: RE: funsec Office 2007 has 0 security issues

From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Wed, 11 Apr 2007 02:29:47 +1200
Richard M. Smith wrote:


These 3 Word bugs are interesting, but I suspect they are not exploitable in
an Outlook email message because an email message is HTML text and not a
Word .DOC file.  ...


Are you sure there's actually that much of a distinction any more?

Have you looked at all the permutations of the new, default Word format 
and how these may be able to be conveyed within the body of a MIME 
Email message?


...  To find security problems in Word that can be exploited
from an Outlook email message instead requires fuzzing HTML.  Securuty
problems with HTML of course can be a problem with an email reader that
supports HTML including readers which blindly convert HTML to plain text.  


8-)


I wonder how well Nick's Pegasus email reader has been vetted for
HTML-related security problems?


I don't know.

I do know there are two separate HTML engines (don't ask) and one has a 
very nasty habit of crashing with certain types of malformed .GIF that 
are not totally uncommon in some spam.

What I do know is that PMail is probably nowhere near popular enough to 
be worth the bad guys' effort of looking at, apart from those who would 
fashion a carefully and narrowly targetted attack against someone who 
may happen to use PMail.  And regarding HTML support, the renderers in 
PMail use to be "off by default" -- given a message with text/plain and 
text/html parts PMail would show you the text/plain version using its 
own (ancient) display routines.  More recently, with the gretaer 
dumbing down of the userbase and the increase in use of HTML Email, the 
default setting for new installations has flipped that to preferring 
the HTML form.  My only real concern here is that there is no config 
option to _not_ display HTML-only messages in the HTML viewer and 
either pop-up a warning or default to the "raw" ("source") view.

It's possibly buggy as hell, but the point is that no-one, including 
the bad guys, is looking for the faults, so it is much safer in 
everyday use.

And for me, despite its many idiosyncracies, it has invaluable features 
that MS (and virtually all other MUA developers) has never included 
(and seems unlikely ever to consider).


Regards,

Nick FitzGerald

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: