url attachments and links

[Ludwig]

Where can I get security information about .url file attachments and
hyperlinks sent via email? What are the potential risks, why does Outlook
block the url attachment, but allow the link in the message body?

Thanks, Eric C.

[Rick Hattenburg]

Hi Ludwig,

Take a look at the following:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q259228
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q291506

Let me know if this helps,
Rick

"Ludwig" <xxer...@xxcityrm.org> wrote in message
news:#gXsDJuxBHA.2388@tkmsftngp05...

[Ludwig]

Yes. I've seen that. I am interested in why the .url attachment is
considered dangerous but the actual link is not. I block .url attachments at
our email gateway but hyperlinks still get thru in the message body. The
article says to paste links into the message body. Why block the .url then?
Could the .url possibly contain other malicious code that is run without the
recipients knowledge?

"Rick Hattenburg" <ric...@microsoft.com> wrote in message
news:uCgE4IxxBHA.2792@tkmsftngp05...

[EveningStar]

"Ludwig" <er...@xnospamxcview.net> wrote in message
news:e0mV6O3xBHA.1524@tkmsftngp02...

> Could the .url possibly contain other malicious code that is run without
the
> recipients knowledge?

Yes. A malformed URN can, on improperly maintained systems, create an
exploitable buffer overflow condition or send you to a malicious web site or
do other kinds of damage. If the URN is contained in a .url file, the
recipient of the email message may not visually inspect the URN before
activating it. If it is contained in the body of the message, you can't
help but see where it goes and what kind of URN it is.
--
David Dickinson
EveningStar Information Services

Summary of Microsoft Security Bulletins
http://www.zianet.com/bwd/securitybulletins.asp

[Harald Ums]

> Yes. A malformed URN can, on improperly maintained systems, create an
> exploitable buffer overflow condition or send you to a malicious web site
or
> do other kinds of damage.

Huh?
The buffer overflow on an improperly maintained system will happen when some
attachment is handled in the program.
This overflow would be independend of the attachment.

Of course displaying adds an "additional" danger of a buffer overflow, but
so does diplaying an mail body of plain text.

Harald Ums

[Ludwig]

Ok, so links can still be dangerous, but at least you see the address and
are required to click. I think I will continue to block .url attachments at
the gateway. I assume that if I also wanted to block hyperlinks in the
message body I could use a content scanner and look for "http:\\". Thanks
for the info.

Eric C.

"EveningStar" <eis-n...@softhome.net> wrote in message
news:#pQhbSMyBHA.2080@tkmsftngp04...

[Ludwig]

Are you saying that a text message can excute code?

"Harald Ums" <Harald.U...@t-online.de> wrote in message
news:#7IgrnMyBHA.1652@tkmsftngp04...

[Harald Ums]

"Ludwig" <xxer...@xxcityrm.org> wrote in message

news:eZvZAXQyBHA.2376@tkmsftngp02...

> Are you saying that a text message can excute code?
>

If you have an buffer overflow in your mailer a text message can trigger
executable code - that's what buffer overflows are about.

The one valid reason I saw up to now why url-attachments are more dangerous
than html mails, was that you can't see what is in an url attachment until
you have saved it to disk or opened it.

But for the 'naive' user even a href embedded in an html mail might also be
dangerous. The url
<a href=http://www.somesite.somewhere/..very long url
target="_top">www.microsoft.com/security</a>
will display as www.microsoft.com/security even if it points somewhere else.
You have to look at the status line to see the correct url.

With the usual mix of users in large companies you alsways find a few who do
not know that.

Harald Ums