funsec mailing list archives
RE: RE: funsec Office 2007 has 0 security issues
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Wed, 11 Apr 2007 02:29:47 +1200
Richard M. Smith wrote:
These 3 Word bugs are interesting, but I suspect they are not exploitable in an Outlook email message because an email message is HTML text and not a Word .DOC file. ...
Are you sure there's actually that much of a distinction any more? Have you looked at all the permutations of the new, default Word format and how these may be able to be conveyed within the body of a MIME Email message?
... To find security problems in Word that can be exploited from an Outlook email message instead requires fuzzing HTML. Securuty problems with HTML of course can be a problem with an email reader that supports HTML including readers which blindly convert HTML to plain text.
8-)
I wonder how well Nick's Pegasus email reader has been vetted for HTML-related security problems?
I don't know. I do know there are two separate HTML engines (don't ask) and one has a very nasty habit of crashing with certain types of malformed .GIF that are not totally uncommon in some spam. What I do know is that PMail is probably nowhere near popular enough to be worth the bad guys' effort of looking at, apart from those who would fashion a carefully and narrowly targetted attack against someone who may happen to use PMail. And regarding HTML support, the renderers in PMail use to be "off by default" -- given a message with text/plain and text/html parts PMail would show you the text/plain version using its own (ancient) display routines. More recently, with the gretaer dumbing down of the userbase and the increase in use of HTML Email, the default setting for new installations has flipped that to preferring the HTML form. My only real concern here is that there is no config option to _not_ display HTML-only messages in the HTML viewer and either pop-up a warning or default to the "raw" ("source") view. It's possibly buggy as hell, but the point is that no-one, including the bad guys, is looking for the faults, so it is much safer in everyday use. And for me, despite its many idiosyncracies, it has invaluable features that MS (and virtually all other MUA developers) has never included (and seems unlikely ever to consider). Regards, Nick FitzGerald _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: RE: funsec Office 2007 has 0 security issues, (continued)
- Re: RE: funsec Office 2007 has 0 security issues Nick FitzGerald (Apr 13)
- Re: RE: funsec Office 2007 has 0 security issues Brian Loe (Apr 13)
- RE: RE: funsec Office 2007 has 0 security issues David Harley (Apr 14)
- Re: RE: funsec Office 2007 has 0 security issues Valdis . Kletnieks (Apr 14)
- RE: RE: funsec Office 2007 has 0 security issues David Harley (Apr 13)
- RE: RE: funsec Office 2007 has 0 security issues Larry Seltzer (Apr 13)
- Re: RE: funsec Office 2007 has 0 security issues Valdis . Kletnieks (Apr 13)
- Re: RE: funsec Office 2007 has 0 security issues Ken Dyke (Apr 13)
- RE: RE: funsec Office 2007 has 0 security issues Larry Seltzer (Apr 13)
- RE: RE: funsec Office 2007 has 0 security issues Nick FitzGerald (Apr 13)
- RE: RE: funsec Office 2007 has 0 security issues rms (Apr 10)
- RE: RE: funsec Office 2007 has 0 security issues Larry Seltzer (Apr 13)