Security Incidents mailing list archives
RE: Stopping information leakage
From: "James C. Slora, Jr." <Jim.Slora () phra com>
Date: Wed, 14 May 2003 10:09:10 -0400
Jerry Shenk wrote Tuesday, May 13, 2003 6:42 PM
That's not malware of any hidden anything....apparently your e-mail app is programmed to process html links. The original e-mail message included the link for this web site. It is quite interesting that a simple text link like that would cause a connection. Chalk up another reason not to use Outlook!
I agree that it is not malware. The IMG is performing a function very similar to a web bug, but since it uses a file: reference it can cause information leakage beyond that of a normal web bug. I agree with Vernon Stark's original analysis. The mail client was not prefetching or processing a link, it was rendering an image with an external source. Processing the IMG tag - even when it references external resources - is a common function of rendering HTML email and is intended to cause a connection (which is why web bugs work). The file: behavior is yet another good reason not to render HTML in email. I don't know if Outlook is any better or worse than another HTML-aware package in this one specific regard. I guess file: sources should probably be discarded even when HTML is being rendered, but it is more important to make sure that SMB ports are blocked at the perimeter. I'm curious whether the file: reference will cause the IMG call to bypass web bug filtering packages. Anyone able to test this? ---------------------------------------------------------------------------- *** Wireless LAN Policies for Security & Management - NEW White Paper *** Just like wired networks, wireless LANs require network security policies that are enforced to protect WLANs from known vulnerabilities and threats. Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs. To get your FREE white paper visit us at: http://www.securityfocus.com/AirDefense-incidents ----------------------------------------------------------------------------
Current thread:
- Stopping information leakage Stark, Vernon L. (May 13)
- RE: Stopping information leakage Jerry Shenk (May 13)
- <Possible follow-ups>
- RE: Stopping information leakage Jerry Shenk (May 13)
- RE: Stopping information leakage James C. Slora, Jr. (May 14)