mitch at ncsa.uiuc.edu
©1995-2005 - All rights reserved.
http://www.usatoday.com/tech/news/computersecurity/hacking/2004-12-24-we-thr ee-winholes_x.htm "Users are urged to block e-mail attachments arriving with .hlp files attached and strongly encouraged to read e-mail in plain-text format to keep malicious images from utilizing LoadImage."
http://www.eweek.com/article2/0,1759,1745642,00.asp "To ward off the other problems, Symantec said, Windows users should block e-mail attachments with an .hlp extension, avoid untrusted sites or e-mail messages from unknown sources, and read messages in plain-text format."
http://www.windowsbbs.com/showthread.php?p=196648 SOFTWARE: Mozilla 1.7.x http://secunia.com/product/3691/ Mozilla Thunderbird 0.x http://secunia.com/product/2637/ DESCRIPTION: plonk has discovered a weakness in Mozilla and Thunderbird, which can be exploited by malicious people to enumerate valid email addresses. The weakness is caused due to an improper behaviour where references to external stylesheets in HTML documents are followed. This can be exploited to validate the existence of an mail address when a malicious mail is opened. The weakness has been confirmed in Mozilla 1.7.3 and Thunderbird 0.8. Other versions may also be affected. SOLUTION: If this is considered a problem, then disable HTML support in emails: "View" --> "Message Body As" --> "Plain Text"
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2email.mspx Outlook Express What new functionality is added to this feature in Windows XP Service Pack 2? Plain Text Mode Detailed description The plain text mode feature of Outlook Express provides users with the option to render incoming mail messages in plain text instead of Hypertext Markup Language (HTML). When Outlook Express is running in plain text mode, the rich edit control is used instead of the MSHTML control. You avoid some security issues that result from the use of MSHTML by using the rich edit control. Why is this change important? The use of rich edit control provides an additional barrier to malicious code that is transmitted using e-mail. Computers running earlier versions of Windows XP had a vulnerability to malicious code because Outlook Express processes HTML header scripts in the HTML content. The MSHTML control automatically executes these scripts. The rich edit control does not execute HTML scripts, so this is mitigated. Because plain text e-mail does not require HTML header processing to be displayed properly, there is usually little visible difference from this processing change in standard message formats. Portions of e-mail messages that do not appear to render correctly are relying on HTML rendering and could present a danger to your system. What works differently? The following Outlook Express features are not available when running in plain text mode: Changing text size to a larger or smaller font. Full text searching through the body of a mail message. You can configure plain text mode in several ways, including: Reading a message. In Outlook Express, on the Tools menu, click Options, and then click the Read tab. Select the Read all messages in plain text check box. Composing a message. In Outlook Express, on the Tools menu, click Options, and then click the Send tab. Under Mail Sending Format, select the Plain Text option. With a new menu option. On the View menu, click Message in HTML. This new menu item switches the current message view to HTML if it is currently in plain text view, both in the preview display as well as in the full message display.
http://es.trendmicro-europe.com/enterprise/security_info/security_advisories .php?sa_id=210 "If you are using Outlook 2002 or Outlook Express 6.0 SP1 or later, read email messages in plain text format to help protect yourself from the HTML email attack vector."
http://es.trendmicro-europe.com/enterprise/security_info/security_advisories .php?sa_id=206 "Read e-mail messages in plain text format if you are using Outlook 2002 or later, or Outlook Express 6 SP1 or later, to help protect yourself from the HTML e-mail attack vector."
http://www.slipstick.com/outlook/htmlmail.htm Office XP Service Pack 1 adds a new feature to Outlook 2002 -- the ability to display all incoming messages (except those that are digitally signed or encrypted) in plain text format. The original HTML or rich-text content is still present in the message, but in both an open message and the preview pane, the user sees only plain text. OL2002 Users Can Read Nonsecure E-mail As Plain Text explains this new feature and cautions that it can have an effect on custom Outlook solutions.
Updated January 5, 2005
mitch at ncsa.uiuc.edu
©1995-2005 - All rights reserved.