[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <1059385008.3f24eeb00d9e7@www.geekgang.co.uk>
From: pre at geekgang.co.uk (pre)
Subject: TEXT/PLAIN: ALERT("OUTLOOK EXPRESS")
Quoting "http-equiv@...ite.com" <1@...ware.com>:
>
> Friday, July 25, 2003
>
> Active Scripting and HTML in a plain text mail message:
>
> MIME-Version: 1.0
> Content-Type: text/plain;
> Content-Transfer-Encoding: 7bit
> X-Source: 25.07.03 http://www.malware.com
>
> <img dynsrc=javascript:alert()><font color=red>foo
>
This is a well known issue in IE, and hence Outlook.
It's a well known security hole that Microsoft has refused or is unable to
fix.
I (and others) have reported this issue over the last few years. MS acknowledge
the problem but will not fix it.
Advisory at: http://www.geekgang.co.uk/adv/gsa2002-01.txt
When I last tested this, the Finjan Surfingate web filtering software correctly
filtered this out (for web browsing, obviously).
I tested this again last week with a fully patched IE 6 on WinXP and it is still
vulnerable.
.pre
Powered by blists - more mailing lists