[Am-info] Windows in trouble for any html use!

John J. Urbaniak jjurban@attglobal.net
Tue, 13 Jul 2004 11:28:14 -0400 

It's time for an all-out condemnation of the PC Press.  Back during the 
OS/Wars, the Press undeniably took the side of Microsoft.  They all but 
wiped out my small business, because my software is OS/2 - (now eCS-) based.

If a significant number of computers were based on systems other than 
Microsoft, we would not be in these straits today.  If we had a 
significant percentage of OS/2, Apple, Linux and other operating systems 
in use, the odds of viruses propagating throughout our entire computing 
infrastructure would be drastically reduced.

By allowing themselves to be co-opted by the Gang of Criminals from 
Redmond,  the Press is totally responsible for the sorry state we are in 
today.

John




Gene Gaines wrote:

> The U.S. Department of Homeland Security has notified the world
> to stop using the Web browser, and in fact generally stop using
> Windows to view any HTML documents.
>
> Hopefully, if you use Microsoft Internet Explorer or Microsoft
> Outlook, you know about this problem and have taken steps to
> guard your computer.  If not, it is time to panic and read this
> now.
>
> If you are lucky (or wise) enough NOT to use the above, this
> report is fascinating and worth taking time to read carefully.
>
> See: http://www.kb.cert.org/vuls/id/713878
>
> This warning is by US-CERT, the United States Computer Emergency
> Readiness Team, part of the U.S. Department of Homeland
> Security.
>
> I'll attempt a short description:
>
>    By convincing a victim to view an HTML document (web page,
>    HTML email), an attacker could execute script in a different
>    security domain than the one containing the attacker's
>    document. By causing script to be run in the Local Machine
>    Zone, the attacker could execute arbitrary code with the
>    privileges of the user running IE.
>
>    By redirecting to a local resource, controlling the timing of
>    the redirect, and setting the frame's location to a
>    javascript: protocol URI, an attacker can execute script in
>    the security context of the Local Machine Zone.
>
>    Functional exploit code is publicly available, and there are
>    reports of incidents involving this vulnerability.
>
>    Any program that hosts the WebBrowser ActiveX control or used
>    the IE HTML rendering engine (MSHTML) may be affected by this
>    vulnerability.
>
> Seems to me, then, run any of the many Windows-based applications
> that make use of the IE HTML rendering engine and you're running
> down the street with no pants on.  That includes HTML emails.
>
> So, the answer is to follow no hot-links and view no email unless
> you are sure of the source.
>
> Hey, the AM-INFO list should be safe because we use ASCII.
>
> Are you sure this email does not contain HTML?
>
> I again invite you to visit: http://www.kb.cert.org/vuls/id/713878
>
> But, if you visited the above site, are you SURE that site is not a
> fake and your computer may have been compromised. 
>
> Are you sure this email was sent by Gene Gaines?
>
> Are you sure one of the HTML emails you read this week was not an
> exploit?
>
> I'm glad I use Mozilla and The Bat!
>
> /Gene Gaines
> gene.gaines@gainesgroup.com
> Sterling, Virginia/