[23108] in bugtraq
Re: Microsoft Security Bulletin MS01-055
daemon@ATHENA.MIT.EDU (Clover Andrew)
Mon Nov 12 13:27:01 2001
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Date: Mon, 12 Nov 2001 16:14:53 +0100
Message-ID: <D58B0195B58937489E89124469E57CA249DA0A@EX1.1value.com>
From: "Clover Andrew" <aclover@1value.com>
To: <bugtraq@securityfocus.com>
Content-Transfer-Encoding: 8bit
Microsoft Product Security <secnotif@MICROSOFT.COM> wrote:
> Mitigating Factors: [...]
> Users who have set Outlook Express to use the "Restricted
> Sites" Zone are not affected by the HTML mail exploit of this
> vulnerability
Sorry, but this is not true.
Whilst pages in the Restricted Sites zone are barred from using active
scripting, there are other ways of redirecting the user to a malicious
about: URL. Two I can think of straight away that require no user
intervention are:
<meta http-equiv="refresh" content="1;url=about:...">
<iframe src="about:...">
both work on Outlook 2000 with mail content in the Restricted Sites
zone. Since I stated exactly this whilst discussing the previous
vulnerability with secure@microsoft, I'm disappointed to see this
argument wheeled out again.
--
Andrew Clover
Technical Consultant
1VALUE.com AG
