T 5.111 Misuse of active content in e-mails

More and more emails also are HTML-formatted these days. On the one hand, this is often annoying, since not all email clients display this format. On the other hand, this may also result in undesired actions being triggered just by displaying such emails on the client, since HTML email may contain embedded JavaScript or VisualBasic script code, for example.

Through the combination different security gaps in email clients and browsers, security problems associated with HTML-formatted emails have occurred time and again in the past (see also T 5.110 Web bugs). Amongst other documents, the CERT-Advisory CA-2001-06 contains an example of the this (at http://www.cert.org/advisories/CA-2001-06.html).