lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 19 May 2005 11:16:34 +1200
From: Nick FitzGerald <nick@...us-l.demon.co.uk>
To: bugtraq@...urityfocus.com
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Security issue in Microsoft Outlook


Bakchodiya wrote:

> An issue has been discovered in MS Outlook (All
> Versions) where anyone can fake a URL & send it
> across.
<<snip details>>

This is a long-known issue with all Office applications that support 
(by default) automatic HREF-ing (if making HTML) or other forms of 
cross-referencing/web-linking.  It is one of many, many examples of how 
badly mis-named all those "smart" option thingamies are that the 
marketroids so love demonstrating at product release shows and such...

In short, smart enough to initially recognize that you _may_ want this 
to be an active link, but far too dumb to recognize that once such a 
link has been created automatically, for many users much more smarts 
are needed by the "smart" system should the user want to change the 
link...

> I am not sure how critical this is but it can fool
> alot of people & result in download of a virus.

Well, that is a different issue.

A significant and valuable part of the _point_ of hyperlinks is that 
the displayed text need not be a literal representation of the target
-- think about it for a moment...

Yes -- far too many people are so poorly trained in the workings of the 
technology that they don't know to look past the surface display 
(though there is a very strong human factors argument that the they 
should not need to), that the status bar is there for a reason (though, 
of course, the technologists had to eff-up even that by allowing active 
content in the "data" alter the status bar display), and so on, but 
some folk still smoke (and worse) tobacco (and worse) products, so 
maybe that is an intractable problem for some (hopefully small-ish 
proportion of the population.


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists