RE: RE: funsec Office 2007 has 0 security issues

[rms () computerbytesman com]

When sending out email messages, Outlook 2007 supports plain text, HTML,
and Outlook RTF.  I think these same 3 options been around for years in
Outlook.  Outlook 2007 and previous versions will display these same 3
formsts.

But I've also wondered for a long time what other MIME types Outlook will
automatically display in message bodies and how to turn off these MIME
types.  Does anyone know the answer?

Richard


> Richard M. Smith wrote:
>
> > These 3 Word bugs are interesting, but I suspect they are not
> > exploitable in
> > an Outlook email message because an email message is HTML text and not a
> > Word .DOC file.  ...
>
> Are you sure there's actually that much of a distinction any more?
>
> Have you looked at all the permutations of the new, default Word format
> and how these may be able to be conveyed within the body of a MIME
> Email message?
>
> > ...  To find security problems in Word that can be exploited
> > from an Outlook email message instead requires fuzzing HTML.  Securuty
> > problems with HTML of course can be a problem with an email reader that
> > supports HTML including readers which blindly convert HTML to plain
> > text.
>
> 8-)
>
> > I wonder how well Nick's Pegasus email reader has been vetted for
> > HTML-related security problems?
>
> I don't know.
>
> I do know there are two separate HTML engines (don't ask) and one has a
> very nasty habit of crashing with certain types of malformed .GIF that
> are not totally uncommon in some spam.
>
> What I do know is that PMail is probably nowhere near popular enough to
> be worth the bad guys' effort of looking at, apart from those who would
> fashion a carefully and narrowly targetted attack against someone who
> may happen to use PMail.  And regarding HTML support, the renderers in
> PMail use to be "off by default" -- given a message with text/plain and
> text/html parts PMail would show you the text/plain version using its
> own (ancient) display routines.  More recently, with the gretaer
> dumbing down of the userbase and the increase in use of HTML Email, the
> default setting for new installations has flipped that to preferring
> the HTML form.  My only real concern here is that there is no config
> option to _not_ display HTML-only messages in the HTML viewer and
> either pop-up a warning or default to the "raw" ("source") view.
>
> It's possibly buggy as hell, but the point is that no-one, including
> the bad guys, is looking for the faults, so it is much safer in
> everyday use.
>
> And for me, despite its many idiosyncracies, it has invaluable features
> that MS (and virtually all other MUA developers) has never included
> (and seems unlikely ever to consider).
>
>
> Regards,
>
> Nick FitzGerald
>
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.