anomy-list

Re: How many people are blocking .xml files as attachments?

From: Derrick Webber (125802@xyz.molar.is)
Date: Fri 14 May 2004 - 15:09:37 GMT

  • Next message: nerve: "Changing the saved attachments permissions"

    125841@xyz.molar.is wrote:

    > From what I know, it seems like these files are harmless. However I
    believe
    > that they are included in the default blocking list in Anomy. I've also
    > found a few links where other people have suggested blocking them, but
    > without any in-depth information on why.
    >
    > Are most of you blocking them? If you are, why? I've had several users
    > complain that they do not want .xml files stripped. I'd like to make sure
    > that they are indeed safe before allowing them.
    >
    > Any comments would be appreciated. Thanks.
    >

    What's "safe" depends on how paranoid you are ;-)

    We block XML attachments and web pages for many of our clients. Outlook
    express has had at least two XML attachment exploits identified
    (http://www.securityfocus.com/bid/5350 and
    http://www.securityfocus.com/bid/2633). MS Internet Explorer has many
    more, and therefore any mail client that uses IE's parsing engines (ie.
    MS Outlook) potentially share those vulnerablities.

    There's a more basic concern though: given the history of the MS HTML
    parsing engine, it's very likely their XML parser has many similar
    exploitable flaws. However unlike the HTML engine, the MS XML parser
    hasn't been kicked around by the security community a whole lot. There
    are probably quite a few unpublished vulnerabilities.

    XML and related data formats have a high potential for abuse... enough
    that many organizations are setting up XML "firewalls" (eg. Reactivity)
    to validate and screen XML data for B2B applications and the like.
    Unless you have a strong business need to allow XML attachments, IMHO
    it's best to avoid them. If there IS a need for XML data transfers,
    consider doing it through an XML firewall with trusted partners, not via
    e-mail.

    -- 
      Derrick Webber
      Advosys Consulting Inc. Ottawa
      http://advosys.ca/
    --
    



    hosted by molar.is