On 10 Feb 2021, at 11:17, Kris Deugau wrote:
Bill Cole wrote:
On 9 Feb 2021, at 18:37, Kenneth Porter wrote:
<https://www.bleepingcomputer.com/news/security/new-phishing-attack-uses-morse-code-to-hide-malicious-urls/>
I'm reminded of the recent post suggesting that SA parse QR codes to
feed URLs to block lists.
The email includes a web document pretending to be an Excel document
(double extension .xlsx.hTML) that contains a JavaScript Morse
decoder and a string with the URLs encoded in Morse.
I see two ways to block this: 1) MUAs should ignore code in HTML.
All minimally secure MUAs ignore any embedded JavaScript. Any MUA
written in this century that executes JavaScript should itself be
deemed malware.
Thunderbird and Seamonkey both have it supported and enabled out of
the box.
Are you sure that is true today? It was not so for TBird when last I
looked, but that was some years back.
I would not be surprised if Outlook did, along with no way to disable
it.
I would be quite surprised, since that was removed from the desktop
version of Outlook a long time ago. What Microsoft 365's "Outlook" does,
I do not know.
Mac Mail probably does, again likely with at best a tedious hassle to
disable it.
Random libel. I have a lot of deep disagreements with the design and
implementation of Mail.app, but it doesn't run JS in email and never
has.
Windows Mail (AKA "the descendant of Outlook Express) probably does as
well, also likely can't be disabled without tinkering with the program
binary or libraries. That probably covers 99% of the general
end-users that use a desktop MUA.
Not being a Windows user, I cannot say. Given your other guesses, I'm
not inclined to think that this is true.
This would be one of the few points I'd grant in favour of webmail;
at least any Javascript is executing in a browser that's had a lot
more attention to putting a leash on JS misbehaviour.
Back in the bad old days, OE used IE to render all HTML so it
theoretically got whatever scrutiny IE gave.
I would personally class any email with active Javascript as malware -
it should never have been supported at all IMO - but the marketing
departments have taken charge and I see all too much (ie, more than
absolutely none) legitimate mail using it.
I see none. I guess that just proves that everyone's mailstream is
different.
--
Bill Cole
[email protected] or [email protected]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
