[21149] in bugtraq
Re: [Fwd: Re: Cross-Site Request Forgeries (Re: The Dangers ofAllowing
daemon@ATHENA.MIT.EDU (Mark Tinberg)
Fri Jun 22 16:58:49 2001
Message-ID: <3B2FCC0C.2AF192F9@securepipe.com>
Date: Tue, 19 Jun 2001 17:02:52 -0500
From: Mark Tinberg <mtinberg@securepipe.com>
MIME-Version: 1.0
To: Lincoln Yeoh <lyeoh@pop.jaring.my>
Cc: bugtraq@securityfocus.com
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Lincoln Yeoh wrote:
>
> And if Microsoft Word becomes very intertwined with IE (word uses IE to
> fetch stuff) then word documents with image/object links will also be an
> issue. Mix well and add a few macros to taste ;).
>
While MS is the big wide target, it isn't just them that need to worry.
1) Many other pieces of software, including mail clients, use the
mshtml.dll library and can inherit any security bugs. I seem to fuzzily
remember Eudora mail and Novell GroupWise client allowing JavaScript
popups and probably being vulnerable to a whole host of
vulnerabilities. Luckily most vulnerabilities are targeted at Outlook
and OE but could be recoded to use other email clients.
2) Other environments that provide tight integration of components (I'm
thinking of KDE/Konqueror since I am a user of it) may also be
vulnerable to these issues. I don't really know how other
environments/object models deal with these issues, it would be nice to
hear from the various development teams/companies and how they have
dealt with these issues.
--
Mark Tinberg <MTinberg@securepipe.com>
Network Security Engineer
SecurePipe, Inc. -- Managed Network Security Services
Remember: Wherever you go, there you are!
