125841@xyz.molar.is wrote:
> From what I know, it seems like these files are harmless. However I
believe
> that they are included in the default blocking list in Anomy. I've also
> found a few links where other people have suggested blocking them, but
> without any in-depth information on why.
>
> Are most of you blocking them? If you are, why? I've had several users
> complain that they do not want .xml files stripped. I'd like to make sure
> that they are indeed safe before allowing them.
>
> Any comments would be appreciated. Thanks.
>
What's "safe" depends on how paranoid you are ;-)
We block XML attachments and web pages for many of our clients. Outlook
express has had at least two XML attachment exploits identified
(http://www.securityfocus.com/bid/5350 and
http://www.securityfocus.com/bid/2633). MS Internet Explorer has many
more, and therefore any mail client that uses IE's parsing engines (ie.
MS Outlook) potentially share those vulnerablities.
There's a more basic concern though: given the history of the MS HTML
parsing engine, it's very likely their XML parser has many similar
exploitable flaws. However unlike the HTML engine, the MS XML parser
hasn't been kicked around by the security community a whole lot. There
are probably quite a few unpublished vulnerabilities.
XML and related data formats have a high potential for abuse... enough
that many organizations are setting up XML "firewalls" (eg. Reactivity)
to validate and screen XML data for B2B applications and the like.
Unless you have a strong business need to allow XML attachments, IMHO
it's best to avoid them. If there IS a need for XML data transfers,
consider doing it through an XML firewall with trusted partners, not via
e-mail.
-- Derrick Webber Advosys Consulting Inc. Ottawa http://advosys.ca/ --