When sending out email messages, Outlook 2007 supports plain text, HTML,
and Outlook RTF. I think these same 3 options been around for years in
Outlook. Outlook 2007 and previous versions will display these same 3
formsts.
But I've also wondered for a long time what other MIME types Outlook will
automatically display in message bodies and how to turn off these MIME
types. Does anyone know the answer?
Richard
> Richard M. Smith wrote:
>
>> These 3 Word bugs are interesting, but I suspect they are not
>> exploitable in
>> an Outlook email message because an email message is HTML text and not a
>> Word .DOC file. ...
>
> Are you sure there's actually that much of a distinction any more?
>
> Have you looked at all the permutations of the new, default Word format
> and how these may be able to be conveyed within the body of a MIME
> Email message?
>
>> ... To find security problems in Word that can be exploited
>> from an Outlook email message instead requires fuzzing HTML. Securuty
>> problems with HTML of course can be a problem with an email reader that
>> supports HTML including readers which blindly convert HTML to plain
>> text.
>
> 8-)
>
>> I wonder how well Nick's Pegasus email reader has been vetted for
>> HTML-related security problems?
>
> I don't know.
>
> I do know there are two separate HTML engines (don't ask) and one has a
> very nasty habit of crashing with certain types of malformed .GIF that
> are not totally uncommon in some spam.
>
> What I do know is that PMail is probably nowhere near popular enough to
> be worth the bad guys' effort of looking at, apart from those who would
> fashion a carefully and narrowly targetted attack against someone who
> may happen to use PMail. And regarding HTML support, the renderers in
> PMail use to be "off by default" -- given a message with text/plain and
> text/html parts PMail would show you the text/plain version using its
> own (ancient) display routines. More recently, with the gretaer
> dumbing down of the userbase and the increase in use of HTML Email, the
> default setting for new installations has flipped that to preferring
> the HTML form. My only real concern here is that there is no config
> option to _not_ display HTML-only messages in the HTML viewer and
> either pop-up a warning or default to the "raw" ("source") view.
>
> It's possibly buggy as hell, but the point is that no-one, including
> the bad guys, is looking for the faults, so it is much safer in
> everyday use.
>
> And for me, despite its many idiosyncracies, it has invaluable features
> that MS (and virtually all other MUA developers) has never included
> (and seems unlikely ever to consider).
>
>
> Regards,
>
> Nick FitzGerald
>
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.
>
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
