[Dshield] "Disable preview pane" as a defense

Tom dshield at oitc.com
Wed Aug 15 23:38:15 GMT 2007

At 3:52 PM -0700 8/15/07, Darren Spruell wrote:
>The common statement about client side exploits affecting email and
>browser software from vendors is that they are low risk
>vulnerabilities because they typically require user interaction to
>exploit. For example, the user must click on a link in an email, or
>open an attachment, or visit a web site or whatever. For active
>content that can be executed automatically by the email client (i.e.
>Outlook, Outlook Express) the advice is to disable the preview pane
>and that problem goes away.
>My question is, does it? I seem to recall that there have been at
>least a couple of vulnerabilities in client-side parsing libraries
>that were exploitable even in the case that the preview pane was
>disabled, or in other words that disabling the preview pane was not an
>effective workaround for mitigating these vulnerabilities. I think
>they may have been exposures in VML, GDI, ANI or similar. In this
>case, the net effect is that without actual user interaction, the
>vulnerability can be exploited by no other circumstance than the user
>_recieving_ the email, preview pane enabled or not - not actively
>performing action on the email.
>Am I off base on this? Can anyone provide examples of exposures that
>fit this scenario?

Low risk? Bah! Give a user a well crafted socially engineered email 
and the user will click on or do anything they are asked to 999 out 
of 1000.


Tom Shaw - Chief Engineer, OITC
<tshaw at oitc.com>, http://www.oitc.com/
US Phone Numbers: 321-984-3714, 321-729-6258(fax), 
321-258-2475(cell/voice mail,pager)
Text Paging: http://www.oitc.com/Pager/sendmessage.html
AIM/iChat: trshaw at mac.com
Google Talk: trshaw at gmail.com

More information about the list mailing list