afongen
Sam Buchanan's weblog.

IE vulnerabilities are so much fun.

We don't allow HTML mail at work. Our GroupWise email clients are configured to disable both display and creation of HTML messages. This causes some problem for those who receive HTML mail without a plain text equivalent, but someone decided that the benefits are strong enough that the inconvenience is worth it. Some may declare to our tech support, "You're preventing me from doing my job!" but they're wrong.

The problem is Internet Explorer. Many popular Windows email clients use IE for HTML rendering. Since IE is riddled with unpatched security holes, HTML mail is potentially unsafe. Opening an email message is enough to bring down your machine.

To help out our beleaguered tech support staff, I put together a little web-based app that demonstrates our two primary reasons for disabling HTML mail: security and spam. (Spammers sometimes use single-pixel images to track their mail and help identify valid addresses.) It's quite simple: supply an email address, and the system sends you an HTML-only message. The message contains an <img> whose src is a PHP script that associates your email address with an IP, user agent, what time the message was opened, etc. Most important to a spammer is that the email address is valid. A more malevolent attacker could use the user agent information to craft a more focused exploit.

The message also includes exploits for several IE vulnerabilities: one buffer overflow (now patched), an ActiveX exploit, and now something that launches NotePad (see this followup). Depending on the circumstances in which the message is opened, one or all of those is triggered.

The trouble was not coming up with exploits. IE security holes abound. The trick was coming up with something that a non-technical user can see is a problem. So many of the vulnerabilities are complex or hidden: "Oh no, a cookie has been read!"

The astute reader will point out that disabling image loading and scripting in the email client protects from most of the existing vulnerabilities. True enough, which is why I included a bogus link in the same message on a web server. If the user follows the link, IE crashes. Too, in my tests I was still able to launch NotePad without user intervention. Considering the rate at which IE security holes are discovered, some of which do not require scripting, I do not consider simply disabling functionality to be adequate protection.

I used to abhor HTML mail but no longer feel so strongly: I can understand why many people prefer to read styled text. That is, as long as a plain text version is sent as well. I just read that and refuse to read HTML-only mail. Know, however, that there are risks.

Simon Willison may be glad that he switched to Firebird. Switching your web browser may not be enough.

Now I'm going to get all sorts of mail complaining that I'm alarmist. Nah. I just think that my employer's tech support staff's concerns are valid, and if they don't want to enable HTML mail, I stand with them.