, 2002-02-04
Now there are options for screening potentially dangerous messages, or even eliminating HTML email from your life.
Expand all |
Post comment
Three things to make HTML email bearable
2002-02-04
TL (2 replies)
TL (2 replies)
Don't use Outlook
2002-02-04
Anonymous (2 replies)
Anonymous (2 replies)
Don't use Outlook
2002-02-06
Anonymous (2 replies)
Anonymous (2 replies)
No, Microsoft simply designed a client. The exploits are not ?easy? as you put it, but rather a result of the functionality that users (world-wide) demanded be added. The only reason it is exploited is because of Outlook being predominant. Someone had to maliciously and intently discover the weaknesses, and then exploit them without informing MS to fix it or not waiting for MS to do so. Microsoft fixes the flaws as soon as their monolithic bureaucracy gets moving. If the exploiters were truly ?the good guys? they wouldn?t release the code that was malicious, now would they? Additionally, all HTML-capable email clients are vulnerable to one extent or another. Outlook is only targeted because the word ?Microsoft? accompanies it.
?2) Blaming the users for not understanding the consequences of those design decisions is like blaming fish for crapping in the water.?
By default, and in and of itself, Outlook is fine. At what point do we demand that users be educated, I wonder? Blaming Outlook is like blaming the door manufacturer when someone breaks into your house. Let?s not blame the program, but instead let us blame the criminal.
?3) Blaming the markup language is like blaming the water for the fish crapping in it.?
HTML, by its own nature, lends itself to such exploitation. That?s what makes it flexible and useful. But the vulnerabilities you point out in Outlook are only there because HTML (and scripting) is supported. The problem is not Outlook but rather the problem is that HTML mail is allowed in the first place. There is NO place for HTML mail, in my opinion (but I?m old school). The only mail should be plain text. The problem is using HTML for something it was never intended to do and then expect it to be immune to assault.
Again, it all comes down to education of the user. Taking knowledge from the user is bad; giving tools is good. But in the end there is a price that is to be paid. The price is (in this case) HTML is not something that should be used in email and its use should be discouraged. Outlook is not the problem, but rather HTML being vulnerable and users not knowing any better. Place the blame squarely where it belongs.
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/columns/58/10607#10607