Need some help/opinions about preventing new HTML viruses
Posted on 2004-03-27
There is some concern in my company about the risk of the new HTML viruses and what we might be able to do to prevent them. Not so much around the known ones, but more around as new ones are identified, or preventing any malicious HTML code. The known ones are covered as the AV vendors release the dats.
I've done some experimenting and can't come up with a workable solution. In some places (it's a global company) there is proxy authentication required with every access to port 80, so the messages come through with image placeholders if there is an IMG SRC tag, and it prompts for authentication. That is tolerable, because people can go to the site for the images if they like, and the message is still very legible. However, that seems to be blocking only those images, not the embedded HTML.
I've also tried setting my person doc to Prefers Notes Rich Text. That seems to be stripping out all the HTML when it does the MIME to CD conversion, but the messages are an awful mess, to the point that a lot of end users wouldn't be able to find what they were looking for in them. I'm not sure that is a good solution.
I'm looking for some suggestions about how to prevent malicious HTML, but also some opinions about the trade-off. I'm thinking the risk is low at this point for several reasons. The first is there doesn't seem to be any more risk than with any other virus, while we're waiting for the AV vendors to release a new dat. The second is that the HTML viruses that have been identified so far use ports that we don't have open anyway, so even if they are run in the preview pane they can't get to their web site to download anything. Also, if there are new ones that use common ports that we have open, such as 80, the user would still have to sign in if all the proxies were set up for additional authentication. (Some authenticate at the OS login).
The remaining issue is malicious HTML code embedded in the message that runs on its own without going to a web site to get a file to do something destructive to the machine. But then most of the PCs in the environment are XP or 2K and are locked down, so for those, what any virus or HTML can do if it runs while an end user is logged in is limited. We do still have a few business units that have 98, but those are in the process of being brought inline with the rest of the domain.
Is there any middle of the road solution that will prevent malicious HTML without garbling the useful HTML messages?
Many thanks in advance.