Why does Microsoft block .url attachments and not .htm in Outlook?

2

Outlook by default blocks .url attachments and not .htm – why?

Any dangerous URL that could be in .url file, could also easily be in a .htm file and could be launched using javascript automatically. I see the same risk with both attachments, but Microsoft treats it differently. Am I missing something here? How is a .htm file safer than .url?

What else could be in .url file that a hacker could not put in .htm file?

zebzak

Posted 2011-09-13T22:30:10.527

Reputation:

Maybe there is a known vulnerability with .url files which would cause contained data to be interpreted without user interaction. – Der Hochstapler – 2012-02-28T12:59:08.397

Answers

1

You can disable scripts and redirects through browser security settings if you desire to do so.

You'd need to disable .url file support completely for some protection against those.

Daniel Beck

Posted 2011-09-13T22:30:10.527

Reputation: 98 421

Asked: 2011-09-13T22:30:10.527

Viewed: 1 281 times

Active: 2012-02-28T12:50:19.430