Re: HTML-encoded mails

From:Todd Sherman

HTML-encoded email can be "dangerous" because HTML can contain code that will make calls, or requests, to an 
operating system.  The HTML code in an of itself is inocuous because it is mostly a data presentation language that 
"beautifies" text; however, the hyperlinks, and references within the presentation code can make requests from your 
system or another networked system. If created by a malicious programmer, the HTML can perform undesirable actions.

The reason Microsoft email clients (ie. mail readers) are often cited as being vulnerable is because of the integration of 
various scripts that are part of the operating system.  These scripts which normally perform useful tasks are usually 
resident on a PC - they are not always downloaded with the HTML.  Additional scripts that are not part of the OS can be 
downloaded too and is very much a part of normal internet browsing these days.  The HTML-mail can initiate these 
scripts when you open the file or click on hyperlinks in the email, hence the potential danger.  An improperly configured 
email client that has not been reviewed for its security settings can be problematic.

As far as "idiotic," I'd venture to say needless might be the kinder/gentler adjective.

Todd Sherman

HistoSoft Corporation
A+, Network+

Date: 25 Nov 2002 09:46:51 -0600
Subject: Re: HTML-encoded mails

why are they


<< Previous Message | Next Message >>