I am continually amazed at the number of web sites which are unusable when java and ActiveX are disabled. Generally, html geeks get paid to make cool web sites (and email) which use all the local/interactive "make your machine do things" features; most don't seem to be aware of (or care about) the security implications. Try blocking active content at your firewall and see how long it takes for clients to complain about not being able to use web sites (even medical practice / insurance company web sites), not being able to get emails/attachments, etc. Education efforts aside, this puts us in the position of having to field complaints about "the damn firewall". Does anyone else deal with this? - stonewall ----- Original Message ----- From: "Richard M. Smith" <rms@computerbytesman.com> To: "BUGTRAQ@SECURITYFOCUS. COM" <BUGTRAQ@SECURITYFOCUS.COM> Sent: Wednesday, July 02, 2003 8:03 PM Subject: Email marketing company gives out questionable security advice > Hi, > > Last week, I received an unsolicited email message from Mobil Travel > Guide about their new online service. In the message, I was encouraged > to turn back on ActiveX and scripting in Outlook in order to view a > Flash movie embedded in the message. Needless to say, I thought this > was a terrible idea. Instead, I wrote the company who created the ad, > Digital Produce (http://www.digitalproduce.com), saying they were giving > out bad security advice and they should stop doing this sort of thing > in future mailings. > > I got a reply from the company this week basically saying that they > agree with my concern, but not my solution. Instead they decided to put > a little security warning on their "real media fix" page. This fixer > page can be found here on their Web site: > > http://www.digitalproduce.com/site_resources/pdfs/outlookfix/ > > I think the warning message is pretty lame and misleading. Microsoft > released the Outlook Security Update a few years back because anti-virus > software wasn't stopping email worms. Turning back on ActiveX and > scripting only encourages the virus writers. > > (As an aside, the Xbox division of Microsoft is also a customer of > Digital Produce. I wonder if any Xbox ads gave out this same bad > security advice?) > > OTOH, it's not too hard too understand where Digital Produce is coming > from. According to a recent article in Internet News, only about 30% of > email users can view rich media email. This percentage is declining as > people upgrade Outlook and Outlook Express to newer versions with better > security features. It's pretty obvious that Flash-enabled email is a > dying market. > > Along these same lines, images in HTML email messages will be the next > thing to go. The upcoming versions of Outlook and the AOL 9.0 email > reader will no longer show images in HTML email messages by default. > Hotmail offers this same feature as an option today. This feature is > intend to make email more kid-friendly by blocking porno pictures in > incoming spam messages. It also stops spammers for snooping on people > using Web bugs. > > It will be interesting to see how email marketing companies and > spammers adapt to these technical changes in HTML email. > > Richard M. Smith > http://www.ComputerBytesMan.com > >
