|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Final word: Eudora and malicious HTML
Jonathan M. Gilligan (jonathan.gilligan
VANDERBILT.EDU)
Mon, 29 Nov 1999 11:11:31 -0600
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: Mnemonix: "Oracle Web Listener"
- Previous message: Ussr Labs: "Remote DoS Attack in WorldClient Server v2.0.0.0 Vulnerability"
- Next in thread: Vesselin Bontchev: "Re: Final word: Eudora and malicious HTML"
- Reply: Vesselin Bontchev: "Re: Final word: Eudora and malicious HTML"
- Reply: Jeff Beckley: "Re: Final word: Eudora and malicious HTML"
Here is the final word on the problems with Eudora and HTML:
First, Eudora appears to effectively strip out all executable script if the
"Allow Executable HTML Content" option is unchecked. Thus, it should NOT be
possible for malicious HTML code to execute under Eudora WHETHER OR NOT you
are using Microsoft's viewer. This means that if you have "Allow Executable
HTML Content" turned off, I can't see any way for an email virus to affect
your computer through Eudora.
However, a denial-of-service attack is possible due to flawed coding in the
Microsoft HTML renderer. There are well-known DOS attacks against IE using
things such as a form with an input field that specifies SIZE="99999999"
MAXLENGTH="99999999" then IE will go into a quasi-infinite loop allocating
memory until the system runs out of memory and resources. I would blame
this on Microsoft's HTML renderer and do not see a reasonable way for
Eudora to try to proofread all HTML content for parameters that could cause
the MS renderer to barf. If this kind of DOS scares you, Qualcomm has
kindly given you the option to turn off the Microsoft HTML renderer
(uncheck the "Use Microsoft's Viewer" box under Tools/Options/Viewing Mail).
However, this attack does not involve execution of malicious code; it
merely hoses the layout engine. I see danger of Trojans or viruses from
this attack and simply killing the Eudora application from Task Manager
will suffice.
Since I (and perhaps other NTBUGTRAQ readers) have run into problems with
Eudora trying to render malicious HTML snippets in NTBUGTRAQ mailings,
leading to Eudora freezing as in the DOS attack described above, it is
useful to know that the latest (4.2.2) release of Eudora adds a
configuration option "HtmlInPlainText", which you can set to zero to turn
off rendering HTML snippets in a message that is not wrapped with
.... If you want to disable the rendering of disembodied HTML
elements, just add the line
HtmlInPlainText=0
to the [Settings] portion of your Eudora.ini file.
I would like to thank Jeff Beckley of Qualcomm for spending an
extraordinary amount of time and effort helping me get to the bottom of
this problem.
Jonathan Gilligan
- Next message: Mnemonix: "Oracle Web Listener"
- Previous message: Ussr Labs: "Remote DoS Attack in WorldClient Server v2.0.0.0 Vulnerability"
- Next in thread: Vesselin Bontchev: "Re: Final word: Eudora and malicious HTML"
- Reply: Vesselin Bontchev: "Re: Final word: Eudora and malicious HTML"
- Reply: Jeff Beckley: "Re: Final word: Eudora and malicious HTML"
This archive was generated by hypermail 2.0b3 on Mon Nov 29 1999 - 12:22:32 CST