Quoting "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>: > > Friday, July 25, 2003 > > Active Scripting and HTML in a plain text mail message: > > MIME-Version: 1.0 > Content-Type: text/plain; > Content-Transfer-Encoding: 7bit > X-Source: 25.07.03 http://www.malware.com > > <img dynsrc=javascript:alert()><font color=red>foo >
This is a well known issue in IE, and hence Outlook. It's a well known security hole that Microsoft has refused or is unable to fix. I (and others) have reported this issue over the last few years. MS acknowledge the problem but will not fix it. Advisory at: http://www.geekgang.co.uk/adv/gsa2002-01.txt When I last tested this, the Finjan Surfingate web filtering software correctly filtered this out (for web browsing, obviously). I tested this again last week with a fully patched IE 6 on WinXP and it is still vulnerable. .pre _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
