lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <000901c3425f$39979e70$e001a8c0@w2kdesktop>
Date: Fri, 4 Jul 2003 15:05:23 -0400
From: "stonewall" <stonewall@...tel.net>
To: "Richard M. Smith" <rms@...puterbytesman.com>,
	"BUGTRAQ@...URITYFOCUS. COM" <BUGTRAQ@...URITYFOCUS.COM>
Subject: Re: Email marketing company gives out questionable security advice


I am continually amazed at the number of web sites which are unusable when
java and ActiveX are disabled.  Generally, html geeks get paid to make cool
web sites (and email) which use all the local/interactive "make your machine
do things" features; most don't seem to be aware of (or care about) the
security implications.  Try blocking active content at your firewall and see
how long it takes for clients to complain about not being able to use web
sites (even medical practice / insurance company web sites), not being able
to get emails/attachments, etc.  Education efforts aside, this puts us in
the position of having to field complaints about "the damn firewall".  Does
anyone else deal with this?

- stonewall

----- Original Message -----
From: "Richard M. Smith" <rms@...puterbytesman.com>
To: "BUGTRAQ@...URITYFOCUS. COM" <BUGTRAQ@...URITYFOCUS.COM>
Sent: Wednesday, July 02, 2003 8:03 PM
Subject: Email marketing company gives out questionable security advice


> Hi,
>
> Last week, I received an unsolicited email message from Mobil Travel
> Guide about their new online service.  In the message, I was encouraged
> to turn back on ActiveX and scripting in Outlook in order to view a
> Flash movie embedded in the message.  Needless to say, I thought this
> was a terrible idea.  Instead, I wrote the company who created the ad,
> Digital Produce (http://www.digitalproduce.com), saying they were giving
> out bad security advice and they should stop doing this sort of thing
> in future mailings.
>
> I got a reply from the company this week basically saying that they
> agree with my concern, but not my solution.  Instead they decided to put
> a little security warning on their "real media fix" page.  This fixer
> page can be found here on their Web site:
>
>    http://www.digitalproduce.com/site_resources/pdfs/outlookfix/
>
> I think the warning message is pretty lame and misleading.  Microsoft
> released the Outlook Security Update a few years back because anti-virus
> software wasn't stopping email worms.  Turning back on ActiveX and
> scripting only encourages the virus writers.
>
> (As an aside, the Xbox division of Microsoft is also a customer of
> Digital Produce.  I wonder if any Xbox ads gave out this same bad
> security advice?)
>
> OTOH, it's not too hard too understand where Digital Produce is coming
> from.  According to a recent article in Internet News, only about 30% of
> email users can view rich media email.  This percentage is declining as
> people upgrade Outlook and Outlook Express to newer versions with better
> security features.  It's pretty obvious that Flash-enabled email is a
> dying market.
>
> Along these same lines, images in HTML email messages will be the next
> thing to go.  The upcoming versions of Outlook and the AOL 9.0 email
> reader will no longer show images in HTML email messages by default.
> Hotmail offers this same feature as an option today.  This feature is
> intend to make email more kid-friendly by blocking porno pictures in
> incoming spam messages.  It also stops spammers for snooping on people
> using Web bugs.
>
> It will be interesting to see how email marketing companies and
> spammers adapt to these technical changes in HTML email.
>
> Richard M. Smith
> http://www.ComputerBytesMan.com
>
>



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ