[Full-disclosure] Re: Security issue in Microsoft Outlook

[Nick FitzGerald <nick@xxxxxxxxxxxxxxxxxxx>]

Bakchodiya wrote:

> An issue has been discovered in MS Outlook (All
> Versions) where anyone can fake a URL & send it
> across.
<<snip details>>

This is a long-known issue with all Office applications that support 
(by default) automatic HREF-ing (if making HTML) or other forms of 
cross-referencing/web-linking.  It is one of many, many examples of how 
badly mis-named all those "smart" option thingamies are that the 
marketroids so love demonstrating at product release shows and such...

In short, smart enough to initially recognize that you _may_ want this 
to be an active link, but far too dumb to recognize that once such a 
link has been created automatically, for many users much more smarts 
are needed by the "smart" system should the user want to change the 
link...

> I am not sure how critical this is but it can fool
> alot of people & result in download of a virus.

Well, that is a different issue.

A significant and valuable part of the _point_ of hyperlinks is that 
the displayed text need not be a literal representation of the target
-- think about it for a moment...

Yes -- far too many people are so poorly trained in the workings of the 
technology that they don't know to look past the surface display 
(though there is a very strong human factors argument that the they 
should not need to), that the status bar is there for a reason (though, 
of course, the technologists had to eff-up even that by allowing active 
content in the "data" alter the status bar display), and so on, but 
some folk still smoke (and worse) tobacco (and worse) products, so 
maybe that is an intractable problem for some (hopefully small-ish 
proportion of the population.


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/