[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <428C7592.8492.11AB95DD@localhost>
Date: Thu, 19 May 2005 11:16:34 +1200
From: Nick FitzGerald <nick@...us-l.demon.co.uk>
To: bugtraq@...urityfocus.com
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Security issue in Microsoft Outlook
Bakchodiya wrote:
> An issue has been discovered in MS Outlook (All
> Versions) where anyone can fake a URL & send it
> across.
<<snip details>>
This is a long-known issue with all Office applications that support
(by default) automatic HREF-ing (if making HTML) or other forms of
cross-referencing/web-linking. It is one of many, many examples of how
badly mis-named all those "smart" option thingamies are that the
marketroids so love demonstrating at product release shows and such...
In short, smart enough to initially recognize that you _may_ want this
to be an active link, but far too dumb to recognize that once such a
link has been created automatically, for many users much more smarts
are needed by the "smart" system should the user want to change the
link...
> I am not sure how critical this is but it can fool
> alot of people & result in download of a virus.
Well, that is a different issue.
A significant and valuable part of the _point_ of hyperlinks is that
the displayed text need not be a literal representation of the target
-- think about it for a moment...
Yes -- far too many people are so poorly trained in the workings of the
technology that they don't know to look past the surface display
(though there is a very strong human factors argument that the they
should not need to), that the status bar is there for a reason (though,
of course, the technologists had to eff-up even that by allowing active
content in the "data" alter the status bar display), and so on, but
some folk still smoke (and worse) tobacco (and worse) products, so
maybe that is an intractable problem for some (hopefully small-ish
proportion of the population.
Regards,
Nick FitzGerald
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists