“That is one other reminder to discover a trusted cloud supplier for e-mail,” added Johannes Ullrich, dean of analysis on the SANS Institute. “On-premises Change is changing into a legacy product, and whereas some organizations want it for inner and outbound electronic mail, its assault floor ought to be minimized by decreasing its publicity to exterior electronic mail.”
Ullrich was commenting on an alert from Microsoft this week a few cross-site scripting vulnerability affecting Change Outlook Net Entry (OWA) that could possibly be exploited merely by sending a specifically crafted electronic mail to a consumer. If the consumer opens the message in Outlook Net Entry and sure interplay situations are met, arbitrary JavaScript might be executed within the browser context.
Avoiding cross-site scripting issues in webmail programs like Outlook Net Entry is difficult, Ullrich admitted. A webmail system should embrace HTML electronic mail obtained from customers throughout the software’s HTML with out complicated the 2. Methods like sandboxed iFrames may also help, however must be utilized rigorously.
On the similar time, he stated, cross-site scripting flaws in webmail can often be used to learn the content material of an electronic mail, and in some circumstances even to ship an electronic mail.
