[Dshield] "Disable preview pane" as a defense

Darren Spruell phatbuckett at gmail.com
Wed Aug 15 22:52:31 GMT 2007


The common statement about client side exploits affecting email and
browser software from vendors is that they are low risk
vulnerabilities because they typically require user interaction to
exploit. For example, the user must click on a link in an email, or
open an attachment, or visit a web site or whatever. For active
content that can be executed automatically by the email client (i.e.
Outlook, Outlook Express) the advice is to disable the preview pane
and that problem goes away.

My question is, does it? I seem to recall that there have been at
least a couple of vulnerabilities in client-side parsing libraries
that were exploitable even in the case that the preview pane was
disabled, or in other words that disabling the preview pane was not an
effective workaround for mitigating these vulnerabilities. I think
they may have been exposures in VML, GDI, ANI or similar. In this
case, the net effect is that without actual user interaction, the
vulnerability can be exploited by no other circumstance than the user
_recieving_ the email, preview pane enabled or not - not actively
performing action on the email.

Am I off base on this? Can anyone provide examples of exposures that
fit this scenario?

DS


More information about the list mailing list