CERT recommends NOT using HTML in Email

In it's latest security alert CERT has recommended:
-----------------------------------------------------------------------
Read and send email in plain text format
Outlook 2003, Outlook 2002 SP1, and Outlook 6 SP1 can be configured
to view email messages in text format. Consider the security of
fellow Internet users and send email in plain text format when
possible. Note that reading and sending email in plain text will
not necessarily prevent exploitation of this vulnerability.
-----------------------------------------------------------------------

They are basically saying what I have said for years:
HTML DOES NOT BELONG IN A MESSAGING SYSTEM

The full text can be seen at:
http://www.us-cert.gov/cas/techalerts/TA04-315A.html

J.A. Coutts

Yes, this is related to the IFRAME Buffer Overflow problem that the latest MyDoom variant
exploits.

McAfee DAT v4405 and above provides protection against this exploit.

Dave




"John Coutts" <administrator@spam.yellowhead.com> wrote in message
news:10p9lfrce6h9r1f@corp.supernews.com...
| In it's latest security alert CERT has recommended:
| -----------------------------------------------------------------------
| Read and send email in plain text format
| Outlook 2003, Outlook 2002 SP1, and Outlook 6 SP1 can be configured
| to view email messages in text format. Consider the security of
| fellow Internet users and send email in plain text format when
| possible. Note that reading and sending email in plain text will
| not necessarily prevent exploitation of this vulnerability.
| -----------------------------------------------------------------------
|
| They are basically saying what I have said for years:
| HTML DOES NOT BELONG IN A MESSAGING SYSTEM
|
| The full text can be seen at:
| http://www.us-cert.gov/cas/techalerts/TA04-315A.html
|
| J.A. Coutts
|

On Fri, 12 Nov 2004 15:41:35 GMT, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>Yes, this is related to the IFRAME Buffer Overflow problem that the latest MyDoom variant
>exploits.
>
>McAfee DAT v4405 and above provides protection against this exploit.
>
>Dave

You sound like a av marketroid. What the marketroids don't tell you is
that the use of sane email apps is all that's required.



>
>"John Coutts" <administrator@spam.yellowhead.com> wrote in message
>news:10p9lfrce6h9r1f@corp.supernews.com...
>| In it's latest security alert CERT has recommended:
>| -----------------------------------------------------------------------
>| Read and send email in plain text format
>| Outlook 2003, Outlook 2002 SP1, and Outlook 6 SP1 can be configured
>| to view email messages in text format. Consider the security of
>| fellow Internet users and send email in plain text format when
>| possible. Note that reading and sending email in plain text will
>| not necessarily prevent exploitation of this vulnerability.
>| -----------------------------------------------------------------------
>|
>| They are basically saying what I have said for years:
>| HTML DOES NOT BELONG IN A MESSAGING SYSTEM
>|
>| The full text can be seen at:
>| http://www.us-cert.gov/cas/techalerts/TA04-315A.html
>|
>| J.A. Coutts
>|
>

Art
http://www.epix.net/~artnpeg

One man's poison is another man's pleasure Art.

Dave ;-)



<null@zilch.com> wrote in message news:0lo9p0pmaa2a40jono6ds9m12345gg4pkk@4ax.com...
| On Fri, 12 Nov 2004 15:41:35 GMT, "David H. Lipman"
| <DLipman~nospam~@Verizon.Net> wrote:
|
| >Yes, this is related to the IFRAME Buffer Overflow problem that the latest MyDoom variant
| >exploits.
| >
| >McAfee DAT v4405 and above provides protection against this exploit.
| >
| >Dave
|
| You sound like a av marketroid. What the marketroids don't tell you is
| that the use of sane email apps is all that's required.
|
|
|
| >
| >"John Coutts" <administrator@spam.yellowhead.com> wrote in message
| >news:10p9lfrce6h9r1f@corp.supernews.com...
| >| In it's latest security alert CERT has recommended:
| >| -----------------------------------------------------------------------
| >| Read and send email in plain text format
| >| Outlook 2003, Outlook 2002 SP1, and Outlook 6 SP1 can be configured
| >| to view email messages in text format. Consider the security of
| >| fellow Internet users and send email in plain text format when
| >| possible. Note that reading and sending email in plain text will
| >| not necessarily prevent exploitation of this vulnerability.
| >| -----------------------------------------------------------------------
| >|
| >| They are basically saying what I have said for years:
| >| HTML DOES NOT BELONG IN A MESSAGING SYSTEM
| >|
| >| The full text can be seen at:
| >| http://www.us-cert.gov/cas/techalerts/TA04-315A.html
| >|
| >| J.A. Coutts
| >|
| >
|
| Art
| http://www.epix.net/~artnpeg

On Fri, 12 Nov 2004 16:57:41 GMT, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>One man's poison is another man's pleasure Art.
>
>Dave ;-)

One person's pleasure is another person's insanity



><null@zilch.com> wrote in message news:0lo9p0pmaa2a40jono6ds9m12345gg4pkk@4ax.com...
>| On Fri, 12 Nov 2004 15:41:35 GMT, "David H. Lipman"
>| <DLipman~nospam~@Verizon.Net> wrote:
>|
>| >Yes, this is related to the IFRAME Buffer Overflow problem that the latest MyDoom variant
>| >exploits.
>| >
>| >McAfee DAT v4405 and above provides protection against this exploit.
>| >
>| >Dave
>|
>| You sound like a av marketroid. What the marketroids don't tell you is
>| that the use of sane email apps is all that's required.
>|
>|
>|
>| >
>| >"John Coutts" <administrator@spam.yellowhead.com> wrote in message
>| >news:10p9lfrce6h9r1f@corp.supernews.com...
>| >| In it's latest security alert CERT has recommended:
>| >| -----------------------------------------------------------------------
>| >| Read and send email in plain text format
>| >| Outlook 2003, Outlook 2002 SP1, and Outlook 6 SP1 can be configured
>| >| to view email messages in text format. Consider the security of
>| >| fellow Internet users and send email in plain text format when
>| >| possible. Note that reading and sending email in plain text will
>| >| not necessarily prevent exploitation of this vulnerability.
>| >| -----------------------------------------------------------------------
>| >|
>| >| They are basically saying what I have said for years:
>| >| HTML DOES NOT BELONG IN A MESSAGING SYSTEM
>| >|
>| >| The full text can be seen at:
>| >| http://www.us-cert.gov/cas/techalerts/TA04-315A.html
>| >|
>| >| J.A. Coutts
>| >|
>| >
>|
>| Art
>| http://www.epix.net/~artnpeg
>

Art
http://www.epix.net/~artnpeg

Exacly !

Dave:
BTW: Art, since I have your attention, I'd like to ask you a question about Sys-Up. This
is a great utility - Thank You. However, it wants to execute SYSCLEAN.COM immediately. I
suggest to posters that sysclean be used in Safe Mode to increase its effectiveness. How
can SysUp be used such that it gets SYSCLEAN.COM and the latest Pattern File but does not
launch sysclean upon getting the components ?

Thanx...
Dave




<null@zilch.com> wrote in message news:n83ap05hrn78l2l0ten776viga5261v5m3@4ax.com...
| On Fri, 12 Nov 2004 16:57:41 GMT, "David H. Lipman"
| <DLipman~nospam~@Verizon.Net> wrote:
|
| >One man's poison is another man's pleasure Art.
| >
| >Dave ;-)
|
| One person's pleasure is another person's insanity
|
|
|
| ><null@zilch.com> wrote in message news:0lo9p0pmaa2a40jono6ds9m12345gg4pkk@4ax.com...
| >| On Fri, 12 Nov 2004 15:41:35 GMT, "David H. Lipman"
| >| <DLipman~nospam~@Verizon.Net> wrote:
| >|
| >| >Yes, this is related to the IFRAME Buffer Overflow problem that the latest MyDoom
variant
| >| >exploits.
| >| >
| >| >McAfee DAT v4405 and above provides protection against this exploit.
| >| >
| >| >Dave
| >|
| >| You sound like a av marketroid. What the marketroids don't tell you is
| >| that the use of sane email apps is all that's required.
| >|
| >|
| >|
| >| >
| >| >"John Coutts" <administrator@spam.yellowhead.com> wrote in message
| >| >news:10p9lfrce6h9r1f@corp.supernews.com...
| >| >| In it's latest security alert CERT has recommended:
| >| >| -----------------------------------------------------------------------
| >| >| Read and send email in plain text format
| >| >| Outlook 2003, Outlook 2002 SP1, and Outlook 6 SP1 can be configured
| >| >| to view email messages in text format. Consider the security of
| >| >| fellow Internet users and send email in plain text format when
| >| >| possible. Note that reading and sending email in plain text will
| >| >| not necessarily prevent exploitation of this vulnerability.
| >| >| -----------------------------------------------------------------------
| >| >|
| >| >| They are basically saying what I have said for years:
| >| >| HTML DOES NOT BELONG IN A MESSAGING SYSTEM
| >| >|
| >| >| The full text can be seen at:
| >| >| http://www.us-cert.gov/cas/techalerts/TA04-315A.html
| >| >|
| >| >| J.A. Coutts
| >| >|
| >| >
| >|
| >| Art
| >| http://www.epix.net/~artnpeg
| >
|
| Art
| http://www.epix.net/~artnpeg

On Fri, 12 Nov 2004 19:46:30 GMT, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>BTW: Art, since I have your attention, I'd like to ask you a question about Sys-Up. This
>is a great utility - Thank You. However, it wants to execute SYSCLEAN.COM immediately. I
>suggest to posters that sysclean be used in Safe Mode to increase its effectiveness. How
>can SysUp be used such that it gets SYSCLEAN.COM and the latest Pattern File but does not
>launch sysclean upon getting the components ?
>
>Thanx...
> Dave

For those who don't know, Dave is obviously referring to a little util
I made available at my web site as a convenience to users. It uses
WGET to d/l both large files required .... the Sysclean program and
the latest pattern file. The util automatically invokes the Sysclean
program after the downloads.

I don't see the auto-start of Sysclean as a problem, though I see your
point. I'm sure you're right that in many or most cases Sysclean
should be run in Safe mode. All users have to do is Exit Sysclean and
reboot into Safe mode.

I always recommend shutting off (unchecking) the option to
automatically clean or delete detected files. Too damn many false
alarms and misidentifications nowdays. Users should always run more
than one scanner and assess the situation before taking clean and
delete actions. The Escan av utility (based on KAV), which now doesn't
clean/delete, should be used in conjunction with Sysclean and
preferably before it.

Also, there's a "Advanced" selection which allows you to scan selected
folders and /or drives.


Art
http://www.epix.net/~artnpeg

Thank you Art -- I had to ask.

Dave




<null@zilch.com> wrote in message news:ht8ap0ldtl2o1ijdhj1dqmq4fgs8ucv8rp@4ax.com...
| On Fri, 12 Nov 2004 19:46:30 GMT, "David H. Lipman"
| <DLipman~nospam~@Verizon.Net> wrote:
|
| >BTW: Art, since I have your attention, I'd like to ask you a question about Sys-Up.
This
| >is a great utility - Thank You. However, it wants to execute SYSCLEAN.COM immediately.
I
| >suggest to posters that sysclean be used in Safe Mode to increase its effectiveness. How
| >can SysUp be used such that it gets SYSCLEAN.COM and the latest Pattern File but does not
| >launch sysclean upon getting the components ?
| >
| >Thanx...
| > Dave
|
| For those who don't know, Dave is obviously referring to a little util
| I made available at my web site as a convenience to users. It uses
| WGET to d/l both large files required .... the Sysclean program and
| the latest pattern file. The util automatically invokes the Sysclean
| program after the downloads.
|
| I don't see the auto-start of Sysclean as a problem, though I see your
| point. I'm sure you're right that in many or most cases Sysclean
| should be run in Safe mode. All users have to do is Exit Sysclean and
| reboot into Safe mode.
|
| I always recommend shutting off (unchecking) the option to
| automatically clean or delete detected files. Too damn many false
| alarms and misidentifications nowdays. Users should always run more
| than one scanner and assess the situation before taking clean and
| delete actions. The Escan av utility (based on KAV), which now doesn't
| clean/delete, should be used in conjunction with Sysclean and
| preferably before it.
|
| Also, there's a "Advanced" selection which allows you to scan selected
| folders and /or drives.
|
|
| Art
| http://www.epix.net/~artnpeg

Or even, One man's Mead is another man's Persian!

<null@zilch.com> wrote in message
news:n83ap05hrn78l2l0ten776viga5261v5m3@4ax.com...
> On Fri, 12 Nov 2004 16:57:41 GMT, "David H. Lipman"
> <DLipman~nospam~@Verizon.Net> wrote:
>
> >One man's poison is another man's pleasure Art.
> >
> >Dave ;-)
>
> One person's pleasure is another person's insanity
>
>
>
> ><null@zilch.com> wrote in message
news:0lo9p0pmaa2a40jono6ds9m12345gg4pkk@4ax.com...
> >| On Fri, 12 Nov 2004 15:41:35 GMT, "David H. Lipman"
> >| <DLipman~nospam~@Verizon.Net> wrote:
> >|
> >| >Yes, this is related to the IFRAME Buffer Overflow problem that
the latest MyDoom variant
> >| >exploits.
> >| >
> >| >McAfee DAT v4405 and above provides protection against this
exploit.
> >| >
> >| >Dave
> >|
> >| You sound like a av marketroid. What the marketroids don't tell you
is
> >| that the use of sane email apps is all that's required.
> >|
> >|
> >|
> >| >
> >| >"John Coutts" <administrator@spam.yellowhead.com> wrote in message
> >| >news:10p9lfrce6h9r1f@corp.supernews.com...
> >| >| In it's latest security alert CERT has recommended:
> >|
>| ---------------------------------------------------------------------
--
> >| >| Read and send email in plain text format
> >| >| Outlook 2003, Outlook 2002 SP1, and Outlook 6 SP1 can be
configured
> >| >| to view email messages in text format. Consider the security
of
> >| >| fellow Internet users and send email in plain text format
when
> >| >| possible. Note that reading and sending email in plain text
will
> >| >| not necessarily prevent exploitation of this vulnerability.
> >|
>| ---------------------------------------------------------------------
--
> >| >|
> >| >| They are basically saying what I have said for years:
> >| >| HTML DOES NOT BELONG IN A MESSAGING SYSTEM
> >| >|
> >| >| The full text can be seen at:
> >| >| http://www.us-cert.gov/cas/techalerts/TA04-315A.html
> >| >|
> >| >| J.A. Coutts
> >| >|
> >| >
> >|
> >| Art
> >| http://www.epix.net/~artnpeg
> >
>
> Art
> http://www.epix.net/~artnpeg

John Coutts wrote:
> In it's latest security alert CERT has recommended:


Latest? Hell, most people with any sense don't use html mail anyway.