J
john.g.norman
Hi. I made a post regarding what may be a bug in the new users group
(microsoft.public.outlook).
Here's the thread:
http://www.microsoft.com/communitie...&tid=7169701e-b1c6-49e1-a1ec-820ee3537656&p=1
And the core issue:
Outlook in Office 12 makes a request to a link embedded in e-mail, gets
the redirect target, and then passes the redirect target to the default
browser. The consequences of this can be session loss (because the
redirect target received by the browser might depend on state created
in the original request).
Another consequence is that product that collect clicks on links (e.g.,
some ad-driven sites) may count clicks twice.
The problem seems to exist no matter what browsers are installed. I
tried with Office 12 + IE 6, IE 7, and Firefox. Below what the server
log shows.
Notice how the FIRST request (this is the URL in the e-mail) is handled
by IE!! Outlook should be handling off completely to the specified
default browser, but apparently it wants to request the URL. Then IE
(embedded in Outlook) follows the redirect, and gives the REDIRECT
target to FF. NOW FF does NOT have the session cookie, and, hence, the
timeout.
204.9.220.36 - - [01/Jul/2006:15:17:17 -0600] "GET
/?mr=Ed8Y-qnjVkw5BnlLEbWmy4VsgNo HTTP/1.1" 302 - "-" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1)"
204.9.220.36 - - [01/Jul/2006:15:17:18 -0600] "GET /multirefSelect.html
HTTP/1.1" 200 5498 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1; SV1)"
204.9.220.36 - - [01/Jul/2006:15:17:20 -0600] "GET /multirefSelect.html
HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4"
204.9.220.36 - - [01/Jul/2006:15:17:20 -0600] "GET /timeout.html
HTTP/1.1" 200 1655 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4"
It occurs to me that this may be an attempt at determining phishing
attempts. If it is, the technique of handing the REDIRECT target to the
default browser still makes little sense. The default browser should be
passed the original link.
(microsoft.public.outlook).
Here's the thread:
http://www.microsoft.com/communitie...&tid=7169701e-b1c6-49e1-a1ec-820ee3537656&p=1
And the core issue:
Outlook in Office 12 makes a request to a link embedded in e-mail, gets
the redirect target, and then passes the redirect target to the default
browser. The consequences of this can be session loss (because the
redirect target received by the browser might depend on state created
in the original request).
Another consequence is that product that collect clicks on links (e.g.,
some ad-driven sites) may count clicks twice.
The problem seems to exist no matter what browsers are installed. I
tried with Office 12 + IE 6, IE 7, and Firefox. Below what the server
log shows.
Notice how the FIRST request (this is the URL in the e-mail) is handled
by IE!! Outlook should be handling off completely to the specified
default browser, but apparently it wants to request the URL. Then IE
(embedded in Outlook) follows the redirect, and gives the REDIRECT
target to FF. NOW FF does NOT have the session cookie, and, hence, the
timeout.
204.9.220.36 - - [01/Jul/2006:15:17:17 -0600] "GET
/?mr=Ed8Y-qnjVkw5BnlLEbWmy4VsgNo HTTP/1.1" 302 - "-" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1)"
204.9.220.36 - - [01/Jul/2006:15:17:18 -0600] "GET /multirefSelect.html
HTTP/1.1" 200 5498 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1; SV1)"
204.9.220.36 - - [01/Jul/2006:15:17:20 -0600] "GET /multirefSelect.html
HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4"
204.9.220.36 - - [01/Jul/2006:15:17:20 -0600] "GET /timeout.html
HTTP/1.1" 200 1655 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4"
It occurs to me that this may be an attempt at determining phishing
attempts. If it is, the technique of handing the REDIRECT target to the
default browser still makes little sense. The default browser should be
passed the original link.