Content Security Resource Center (CSRT) Alert
A JavaScript security flaw exists in several email client programs. The exploit makes it possible to track down forwarded email without the forwarding senders' awareness. An attacker could create an email containing an embedded script, the email could be sent to victims, if the victim will forward the email, a copy of the forwarded email text will be sent back to the attacker, without the victims' knowledge.
This security hole exists in HTML\Java enabled email readers. That makes most Outlook\Outlook Express and Netscape Communicator users vulnerable.
The exploit has been known since 1998 but only now created a media concern.
You can read about it in Wired
eSafe Gateway and Mail provide a solution to this exploit. eSafe Gateway 3 and eSafe Mail clients are advised to block the string "document.body.innerText" in scripts within HTML email.
Here are the instructions:
- Open eConsole
- In Rules=>SMTP=>Incoming=>Scan - make sure the "Scan body for HTML vandals..." check-box is checked.
- In Content Filters=>HTML=>SmartScript Filters=>JavaScript - make sure either the "Strip w/forbidden functions" check-box is checked.
- Add the function document.body.innerText
- Repeat for the other script types.