Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Images being pulled in Outlook 2003 even though don't download pictu

from [Jason Coombs PivX Solutions] Network Security [Permanent Link]
Subject: Re: Images being pulled in Outlook 2003 even though don't download pictures is set?
Date: Wed, 25 Aug 2004 09:02:26 -1000
The recent LIBPNG vulnerability can be exploited by sending HTML e-mail containing an embedded malicious PNG image referenced locally using cid: as well, if the recipient of the e-mail is using a vulnerable mail client. See

Chris Evans' security advisory
http://scary.beasts.org/security/CESA-2004-001.txt

Therefore this issue is somewhat serious, and deserves more attention. Mail clients need to block automatic display of all images, not just those referenced by external URL inside an img tag. It is a lot of work to locate vulnerable binary code, notify vendors of vulnerable or flawed products and teach them this remedial basic security principle. I am looking for volunteers who are interested in helping out with this effort.

Does anyone have a list of closed-source products known to contain LIBPNG or code derived from it that is believed vulnerable?

Most Secure Regards,

Jason Coombs
Director of Forensic Services
PivX Solutions, Inc.
Jcoombs@PivX.com

-----Original Message-----
From: "CHRIS GRABENSTEIN" <CGRABENSTEIN@lfcc.edu>
Date: Mon, 23 Aug 2004 15:20:39
To:<security-basics@securityfocus.com>
Subject: RE: Images being pulled in Outlook 2003 even though don't download pictures is set?

The reference after cid: refers to an image embedded in the email itself.
The image arrives as part of the email rather than being pulled from a remote
server.

-----Original Message-----
From: Spencer, Mark [mailto:mspencer@evidentdata.com]
Sent: Sunday, August 22, 2004 12:36 PM
To: security-basics@securityfocus.com
Subject: Images being pulled in Outlook 2003 even though don't download
pictures is set?

I've been getting lots of spam with images being displayed, even though my
Outlook 2003 is set to not download pictures automatically.  Here's what I
think is the relevant code (minus < and >):

DIV align=center
FONT face=Arial size=2
IMG src="cid:kfhyepds_bfjhwcxn_dkiaarqo";
/FONT
/DIV
/BODY
/HTML

Any advice on how to deal with this?  How does that "cid: .." translate into
a legitimate IP address from which to pull an image?

Thanks!

---------------------------------------------------------------------------
Computer Forensics Training at the InfoSec Institute. All of our class sizes
are guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Gain the in-demand skills of a certified
computer examiner, learn to recover trace data left behind by fraud, theft,
and cybercrime perpetrators. Discover the source of computer crime and abuse
so that it never happens again.

http://www.securityfocus.com/sponsor/InfoSecInstitute_security-basics_040817
----------------------------------------------------------------------------


---------------------------------------------------------------------------
Computer Forensics Training at the InfoSec Institute. All of our class sizes
are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand skills of
a certified computer examiner, learn to recover trace data left behind by
fraud, theft, and cybercrime perpetrators. Discover the source of computer
crime and abuse so that it never happens again.

http://www.infosecinstitute.com/courses/computer_forensics_training.html
----------------------------------------------------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html



---------------------------------------------------------------------------
Computer Forensics Training at the InfoSec Institute. All of our class sizes
are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand skills of
a certified computer examiner, learn to recover trace data left behind by
fraud, theft, and cybercrime perpetrators. Discover the source of computer
crime and abuse so that it never happens again.

http://www.infosecinstitute.com/courses/computer_forensics_training.html
----------------------------------------------------------------------------

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Blocking Access to Non-domain computers, Raoul Armfield
Next by Date:  ASP Authentication, Bénoni MARTIN
Previous by Thread:  RE: Images being pulled in Outlook 2003 even though don't download pictures is set?, Spencer, Mark
Next by Thread:  [OT] ML about networking for newbie, Di Fresco Marco
Indexes:  [Date] [Thread] [Top] [All Lists]