[Gllug] HTML Malware

Russell Howe rhowe at siksai.co.uk
Sat Jul 8 18:09:17 UTC 2006


On Thu, Jul 06, 2006 at 01:20:03PM +0100, Mick Farmer wrote:
> Dear GLLUGers,
> 
> I'm having difficulty explaining to a colleague that HTML
> (e-mail) can contain malicious exploits.  Does anyone know
> where I can obtain a benign example that I can demonstrate?
>
> He's a Firefox user.

That's nice, but Firefox is a web browser - does he use it to read his
email from a webmail service, or does he use an email client for his
email?

Regardless of the application used, pretty much every HTML renderer has
had and continues to have security flaws. Just look at the list of flaws
in Mozilla Gecko (the rendering engine used by Mozilla apps to render
HTML).

Parser bugs (in general, not limited to HTML) are not uncommon, and so
whenever a program parses untrusted data from the network, there is
potential for exploits.

Plain text email has much simpler processes involved, parsing of email
headers, email addresses and the body.

Hell, MIME is complicated enough to get 'right' (where 'right' is not
necessarily as per the spec) without having to worry about HTML. There
have been numerous bugs in mail clients' MIME support - just look at
Outlook Express's chequered history.

Add to all that the things people have already pointed out w.r.t. HTML's
ability to link to arbitrary content, and to have embedded code
(Javascript, VBScript, Java applets, etc) and you have a document viewer
with built-in remote code execution - keeping that execution safe is
somewhat of a challenge.

-- 
Russell Howe       | Why be just another cog in the machine,
rhowe at siksai.co.uk | when you can be the spanner in the works?
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug




More information about the GLLUG mailing list