CERT recommends NOT using HTML in Email

  • Thread starter Thread starter John Coutts
  • Start date Start date
J

John Coutts

In it's latest security alert CERT has recommended:
-----------------------------------------------------------------------
Read and send email in plain text format
Outlook 2003, Outlook 2002 SP1, and Outlook 6 SP1 can be configured
to view email messages in text format. Consider the security of
fellow Internet users and send email in plain text format when
possible. Note that reading and sending email in plain text will
not necessarily prevent exploitation of this vulnerability.
-----------------------------------------------------------------------

They are basically saying what I have said for years:
HTML DOES NOT BELONG IN A MESSAGING SYSTEM

The full text can be seen at:
http://www.us-cert.gov/cas/techalerts/TA04-315A.html

J.A. Coutts
 
Yes, this is related to the IFRAME Buffer Overflow problem that the latest MyDoom variant
exploits.

McAfee DAT v4405 and above provides protection against this exploit.

Dave




| In it's latest security alert CERT has recommended:
| -----------------------------------------------------------------------
| Read and send email in plain text format
| Outlook 2003, Outlook 2002 SP1, and Outlook 6 SP1 can be configured
| to view email messages in text format. Consider the security of
| fellow Internet users and send email in plain text format when
| possible. Note that reading and sending email in plain text will
| not necessarily prevent exploitation of this vulnerability.
| -----------------------------------------------------------------------
|
| They are basically saying what I have said for years:
| HTML DOES NOT BELONG IN A MESSAGING SYSTEM
|
| The full text can be seen at:
| http://www.us-cert.gov/cas/techalerts/TA04-315A.html
|
| J.A. Coutts
|
 
Yes, this is related to the IFRAME Buffer Overflow problem that the latest MyDoom variant
exploits.

McAfee DAT v4405 and above provides protection against this exploit.

Dave
Click to expand...

You sound like a av marketroid. What the marketroids don't tell you is
that the use of sane email apps is all that's required.


| In it's latest security alert CERT has recommended:
| -----------------------------------------------------------------------
| Read and send email in plain text format
| Outlook 2003, Outlook 2002 SP1, and Outlook 6 SP1 can be configured
| to view email messages in text format. Consider the security of
| fellow Internet users and send email in plain text format when
| possible. Note that reading and sending email in plain text will
| not necessarily prevent exploitation of this vulnerability.
| -----------------------------------------------------------------------
|
| They are basically saying what I have said for years:
| HTML DOES NOT BELONG IN A MESSAGING SYSTEM
|
| The full text can be seen at:
| http://www.us-cert.gov/cas/techalerts/TA04-315A.html
|
| J.A. Coutts
|
Click to expand...

Art
http://www.epix.net/~artnpeg
 
One man's poison is another man's pleasure Art.

Dave ;-)



| On Fri, 12 Nov 2004 15:41:35 GMT, "David H. Lipman"
|
| >Yes, this is related to the IFRAME Buffer Overflow problem that the latest MyDoom variant
| >exploits.
| >
| >McAfee DAT v4405 and above provides protection against this exploit.
| >
| >Dave
|
| You sound like a av marketroid. What the marketroids don't tell you is
| that the use of sane email apps is all that's required.
|
|
|
| >
| >| >| In it's latest security alert CERT has recommended:
| >| -----------------------------------------------------------------------
| >| Read and send email in plain text format
| >| Outlook 2003, Outlook 2002 SP1, and Outlook 6 SP1 can be configured
| >| to view email messages in text format. Consider the security of
| >| fellow Internet users and send email in plain text format when
| >| possible. Note that reading and sending email in plain text will
| >| not necessarily prevent exploitation of this vulnerability.
| >| -----------------------------------------------------------------------
| >|
| >| They are basically saying what I have said for years:
| >| HTML DOES NOT BELONG IN A MESSAGING SYSTEM
| >|
| >| The full text can be seen at:
| >| http://www.us-cert.gov/cas/techalerts/TA04-315A.html
| >|
| >| J.A. Coutts
| >|
| >
|
| Art
| http://www.epix.net/~artnpeg
 
One man's poison is another man's pleasure Art.

Dave ;-)
Click to expand...

One person's pleasure is another person's insanity :)


| On Fri, 12 Nov 2004 15:41:35 GMT, "David H. Lipman"
|
| >Yes, this is related to the IFRAME Buffer Overflow problem that the latest MyDoom variant
| >exploits.
| >
| >McAfee DAT v4405 and above provides protection against this exploit.
| >
| >Dave
|
| You sound like a av marketroid. What the marketroids don't tell you is
| that the use of sane email apps is all that's required.
|
|
|
| >
| >| >| In it's latest security alert CERT has recommended:
| >| -----------------------------------------------------------------------
| >| Read and send email in plain text format
| >| Outlook 2003, Outlook 2002 SP1, and Outlook 6 SP1 can be configured
| >| to view email messages in text format. Consider the security of
| >| fellow Internet users and send email in plain text format when
| >| possible. Note that reading and sending email in plain text will
| >| not necessarily prevent exploitation of this vulnerability.
| >| -----------------------------------------------------------------------
| >|
| >| They are basically saying what I have said for years:
| >| HTML DOES NOT BELONG IN A MESSAGING SYSTEM
| >|
| >| The full text can be seen at:
| >| http://www.us-cert.gov/cas/techalerts/TA04-315A.html
| >|
| >| J.A. Coutts
| >|
| >
|
| Art
| http://www.epix.net/~artnpeg
Click to expand...

Art
http://www.epix.net/~artnpeg
 
Exacly !

Dave:
BTW: Art, since I have your attention, I'd like to ask you a question about Sys-Up. This
is a great utility - Thank You. However, it wants to execute SYSCLEAN.COM immediately. I
suggest to posters that sysclean be used in Safe Mode to increase its effectiveness. How
can SysUp be used such that it gets SYSCLEAN.COM and the latest Pattern File but does not
launch sysclean upon getting the components ?

Thanx...
Dave




| On Fri, 12 Nov 2004 16:57:41 GMT, "David H. Lipman"
|
| >One man's poison is another man's pleasure Art.
| >
| >Dave ;-)
|
| One person's pleasure is another person's insanity :)
|
|
|
| >| On Fri, 12 Nov 2004 15:41:35 GMT, "David H. Lipman"
| >|
| >| >Yes, this is related to the IFRAME Buffer Overflow problem that the latest MyDoom
variant
| >| >exploits.
| >| >
| >| >McAfee DAT v4405 and above provides protection against this exploit.
| >| >
| >| >Dave
| >|
| >| You sound like a av marketroid. What the marketroids don't tell you is
| >| that the use of sane email apps is all that's required.
| >|
| >|
| >|
| >| >
| >| >| >| >| In it's latest security alert CERT has recommended:
| >| >| -----------------------------------------------------------------------
| >| >| Read and send email in plain text format
| >| >| Outlook 2003, Outlook 2002 SP1, and Outlook 6 SP1 can be configured
| >| >| to view email messages in text format. Consider the security of
| >| >| fellow Internet users and send email in plain text format when
| >| >| possible. Note that reading and sending email in plain text will
| >| >| not necessarily prevent exploitation of this vulnerability.
| >| >| -----------------------------------------------------------------------
| >| >|
| >| >| They are basically saying what I have said for years:
| >| >| HTML DOES NOT BELONG IN A MESSAGING SYSTEM
| >| >|
| >| >| The full text can be seen at:
| >| >| http://www.us-cert.gov/cas/techalerts/TA04-315A.html
| >| >|
| >| >| J.A. Coutts
| >| >|
| >| >
| >|
| >| Art
| >| http://www.epix.net/~artnpeg
| >
|
| Art
| http://www.epix.net/~artnpeg
 
BTW: Art, since I have your attention, I'd like to ask you a question about Sys-Up. This
is a great utility - Thank You. However, it wants to execute SYSCLEAN.COM immediately. I
suggest to posters that sysclean be used in Safe Mode to increase its effectiveness. How
can SysUp be used such that it gets SYSCLEAN.COM and the latest Pattern File but does not
launch sysclean upon getting the components ?

Thanx...
Dave
Click to expand...

For those who don't know, Dave is obviously referring to a little util
I made available at my web site as a convenience to users. It uses
WGET to d/l both large files required .... the Sysclean program and
the latest pattern file. The util automatically invokes the Sysclean
program after the downloads.

I don't see the auto-start of Sysclean as a problem, though I see your
point. I'm sure you're right that in many or most cases Sysclean
should be run in Safe mode. All users have to do is Exit Sysclean and
reboot into Safe mode.

I always recommend shutting off (unchecking) the option to
automatically clean or delete detected files. Too damn many false
alarms and misidentifications nowdays. Users should always run more
than one scanner and assess the situation before taking clean and
delete actions. The Escan av utility (based on KAV), which now doesn't
clean/delete, should be used in conjunction with Sysclean and
preferably before it.

Also, there's a "Advanced" selection which allows you to scan selected
folders and /or drives.


Art
http://www.epix.net/~artnpeg
 
Thank you Art -- I had to ask.

Dave




| On Fri, 12 Nov 2004 19:46:30 GMT, "David H. Lipman"
|
| >BTW: Art, since I have your attention, I'd like to ask you a question about Sys-Up.
This
| >is a great utility - Thank You. However, it wants to execute SYSCLEAN.COM immediately.
I
| >suggest to posters that sysclean be used in Safe Mode to increase its effectiveness. How
| >can SysUp be used such that it gets SYSCLEAN.COM and the latest Pattern File but does not
| >launch sysclean upon getting the components ?
| >
| >Thanx...
| > Dave
|
| For those who don't know, Dave is obviously referring to a little util
| I made available at my web site as a convenience to users. It uses
| WGET to d/l both large files required .... the Sysclean program and
| the latest pattern file. The util automatically invokes the Sysclean
| program after the downloads.
|
| I don't see the auto-start of Sysclean as a problem, though I see your
| point. I'm sure you're right that in many or most cases Sysclean
| should be run in Safe mode. All users have to do is Exit Sysclean and
| reboot into Safe mode.
|
| I always recommend shutting off (unchecking) the option to
| automatically clean or delete detected files. Too damn many false
| alarms and misidentifications nowdays. Users should always run more
| than one scanner and assess the situation before taking clean and
| delete actions. The Escan av utility (based on KAV), which now doesn't
| clean/delete, should be used in conjunction with Sysclean and
| preferably before it.
|
| Also, there's a "Advanced" selection which allows you to scan selected
| folders and /or drives.
|
|
| Art
| http://www.epix.net/~artnpeg
 
Back
Top