Article: Windows web Threat.

[Digerati]

This is no longer productive. Close the thread?

I've made my point. If we can get back to discussing the MHTML security flaw in Windows, no need to close the topic.

In the meantime, sorry for letting "the angry duck" get loose.

 

[Digerati]

It seems the permanent fix will not be in this month's normal "Patch Tuesday" schedule. Therefore, Microsoft recommends following the Suggested Actions listed under the Mitigating Factors and Suggested Actions sections of the Microsoft Security Advisory (2501696).

It is interesting to note the mitigating factors. One set involves Windows Server and so does not affect most readers here. The two that might be applicable are:

• By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML e-mail messages in the Restricted sites zone, which disables script and ActiveX controls, removing the risk of an attacker being able to use this vulnerability to execute malicious code. If a user clicks a link in an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through the Web-based attack scenario.

• In a Web-based attack scenario, a Web site could contain a specially crafted link (MHTML) that is used to exploit this vulnerability. An attacker would have to convince users to visit the Web site and open a specially crafted URL, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site, and then convincing them to click the specially crafted link.​

The first, even though Outlook, Outlook Express and Windows Mail disable script and ActiveX controls, a user could circumvent those defenses by clicking on a link in an email that takes him to a compromised and/or malicious site. The second also requires the user to be duped into clicking a "specially crafted link" that takes him or her to a compromised and/or malicious site.

So it would appear it again boils down to user discipline and awareness. Some of these badguys are very clever con artists, experienced at convincing people of something's legitimacy. Do not take anything for granted. If you did not solicit the email or IM, be suspicious, even if you recognize the source. Do not assume all your contacts are as diligent as you. Their systems could be compromised and used by the badguys to distribute their malicious code.

 

[davehc]

I do believe the "suggested actions" will lead to the link I gave in my first post.

 

[Core]

Do not assume all your contacts are as diligent as you. Their systems could be compromised and used by the badguys to distribute their malicious code.

This advice is worth emphasizing. I run several security products on my Windows system, have locked down my wireless as best I can, do backups and sweep for infections on a regular basis. I also use Firefox with Adblock and NoScript. Yet, in my email client, I have a long list of people whose addresses are declared as "trusted." Just a few days ago I received a spam email in my native language from someone who had my grandfather's name - but he doesn't have a computer, much less email. I've also received emails from friends that they swore they never sent. In pretty much any security system, the people are the weakest link...

 

[Digerati]

I do believe the "suggested actions" will lead to the link I gave in my first post.

It does. Sorry to repeat. I just think it is important to note that these are recommended actions by Microsoft; perhaps more important now that we know a permanent fix will not go out on this Patch Tuesday's schedule.

have locked down my wireless as best I can

I think this is a telling and candid "confession". Regardless our expertise and due dilegence, wireless networks will never be as secure as wired. Therefore, we must remain alert.

Interesting comment about your grandfather. I recently received an email from mine as well. And he has been dead for 20 years. I suspect badguys are using publically available Ancestry.com names and comparing them to their spam lists to try to con users into opening these emails and clicking on malicious links. BTW, MailwasherPro is a great spam blocker that makes it easy to pick out these fake emails. I prefer it because it allows me to process my email on the server, before downloading the email and any malicious attachments to my machine.

 

[Mychael]

+1 for mailwasher. I've used it for ages and it's great. Always recommend it to users when the conversation comes up.
It's standalone and not tied into other mail program.
It requires user set up as you would with any mail reader.

 

[Digerati]

It requires user set up as you would with any mail reader.

Yes, but the latest version can search system for any email programs and set itself up for any accounts you have. All you have to do then is set the PW.

Some argue that the standalone parts means you have to learn another interface. That's true, but it is pretty easy to learn, and once learned, it is pretty intuitive.

If you "work" forums like I do and get 50+ (on a slow day) forum notification emails, MW makes it a snap to process through them all without ever having to call up your own email program.

 

[Mychael]

I'm not sure what version of Pro I have, got it on 7 & XP . I think even on the version I've got in 7 it needed me to put in my pop and smtp details.

Mine uses my isp mail server password. It's overall pretty easy to use and their support service is fairly prompt as well. I've had mailwasher for yrs.

 

[Digerati]

Help > About will tell you what version. There's a new 2011 version out too, but new beta testing is on going.

 

[Core]

I was looking at the website but I didn't see any information regarding compatibility with Google Apps and IMAP. I have Google Apps handling all email for my domain and I use IMAP to check on email.

 

[Mychael]

Help > About will tell you what version. There's a new 2011 version out too, but new beta testing is on going.

Yes, I was saying in the context of the time that I was posting the message. Did not know off the top of my head which version.

 

[Digerati]

Compatibility with any email program is immaterial. MW is a separate application totally independent of the email client or clients you use on your machine.

I am a beta tester for MW and while I don't get my GMail mail via IMAP, I know others that do. I use MW to check my GMail accounts with POP3 as well as my other accounts with my ISP, Cox. Those too are POP3.

You set up your accounts in MW the same as you would in your client.

http://www.firetrust.com/en/product...ons#what-are-my-pop-or-imap-and-smtp-settings