[11784] in bugtraq
Re: IE5 allows executing programs
daemon@ATHENA.MIT.EDU (David LeBlanc)
Thu Sep 9 12:55:24 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Message-Id: <3.0.3.32.19990903090616.050b7750@mail.mindspring.com>
Date: Fri, 3 Sep 1999 09:06:16 -0700
Reply-To: David LeBlanc <dleblanc@MINDSPRING.COM>
From: David LeBlanc <dleblanc@MINDSPRING.COM>
X-To: griffinb@hotkey.net.au, BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <199909030120.LAA09385@rockhampton-psvr.qld.hotkey.net.au>
At 11:19 AM 9/3/99 +1000, Brad Griffin wrote:
>" I use Eudora Pro and have IE 5 as the default mail viewer (as is the
>default Install) and you crashed Eudora (NT not logged in as
>Administrator). I had to disable IE 5 as the default viewer to see the
>mail..."
>I assume this would have been caused by the mail reader attempting to
>execute all four fragments of code.
There was an issue a while back where you could send people using Eudora
javascript in their e-mail. I think your assumption is valid. I don't know
if Eudora 4.x allows people to set the security zone that IE uses (I hope
it does).
This is why I _strongly_ suggest that if you're using any type of HTML
enabled e-mail, set it up to run under the most paranoid settings possible.
Most normal mail uses pretty standard HTML, with no Java or anything else,
so you're not really losing any functionality you'll actually use.
Not only will it save you from this attack, but there are lots of other
nasty things that no longer work. Even though you still want to go get the
patches, this measure keeps you out of trouble as a blanket measure.
I'd bet that if your friends lock down their viewing settings, they can see
the mail just fine.
David LeBlanc
dleblanc@mindspring.com
