In our organization we are seeing increasing incidents of e-Mail rcv'd (mostly from eastern european sources) with embedded objects that are automatically opening (based on IFRAME tag) a browser window where the attachment is displayed.
The embedded objects are bypassing our internet attachment blocking content filtering and being nabbed by our e-Mail system virus scanning, (so far all have contained a KLEZ-x virus in a .bat file as well as an excel or word doc). It's frustrating because the only systems that prompt a user to open the attachment are XP w/IE6.0 - regardless of what IE security patch is installed on the other OS's. It looks like a clever way to execute some malicious code but so far we haven't been specifically impacted by that ploy..yet. Microsoft recognizes the use of IFRAME tags as a feature, so nothing is being done on that front. But the real reason for this post is to ask what efforts have other organizations been making with respect to blocking HTML e-Mails. This issue and the simple fact that malicious code can be introduced into e-Mail via HTML based scripts (possibly introducing an e-Mail wiretap) scares me, but I have no real evidence of it being an serious issue to anyone but my own paranoid self. Yes I could theoretically implement the Outlook Security Patch and totally lock downOL/IE to not do anything with scripts (but not sure about IFRAME tags) and then look for another job. Has anyone actually taken steps to screen HTML e-Mail or eliminate it from their orgs? Would love to know what drove the decision. Are there products that assist in eliminating malicious code in HTML, if so how do they know it's malicious. Sorry for the long post but this is really bugging me. Paul Petersen
