Microsoft Product Security <secnotif@MICROSOFT.COM> wrote: > Mitigating Factors: [...] > Users who have set Outlook Express to use the "Restricted > Sites" Zone are not affected by the HTML mail exploit of this > vulnerability Sorry, but this is not true. Whilst pages in the Restricted Sites zone are barred from using active scripting, there are other ways of redirecting the user to a malicious about: URL. Two I can think of straight away that require no user intervention are: <meta http-equiv="refresh" content="1;url=about:..."> <iframe src="about:..."> both work on Outlook 2000 with mail content in the Restricted Sites zone. Since I stated exactly this whilst discussing the previous vulnerability with secure@microsoft, I'm disappointed to see this argument wheeled out again. -- Andrew Clover Technical Consultant 1VALUE.com AG
