UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The designer will ensure the application only embeds mobile code in e-mail which does not execute automatically when the user opens the e-mail body or attachment.


Overview

Finding ID Version Rule ID IA Controls Severity
V-6158 APP3740 SV-6158r1_rule DCMC-1 Medium
Description
The practice of opening e-mails with executable code renders the recipient vulnerable to Internet worms, malicious content, and other threats.
STIG Date
Application Security and Development Checklist 2014-01-07

Details

Check Text ( C-3036r1_chk )
If the application does not send e-mail, this check is not applicable.

If the application sends e-mail, ask for user documentation and test results of e-mail portion of application. Additionally, execute the email portion of the application. If possible, configure mail to send to an established email account. If network configurations prevent actual mail delivery, perform the check by examining the mail in the mail queue. Examine documentation and email output.

1) If any email message contains files with the following extensions (.exe, .bat, .vbs, .reg, .jse, .js, .shs, .vbe, .wsc, .sct, .wsf, .wsh), it is a finding.
Fix Text (F-17125r1_fix)
Remove executable mobile code from email messages.