The designer will ensure the application only embeds mobile code in e-mail which does not execute automatically when the user opens the e-mail body or attachment.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-6158	APP3740	SV-6158r1_rule	DCMC-1	Medium

Description
The practice of opening e-mails with executable code renders the recipient vulnerable to Internet worms, malicious content, and other threats.

STIG	Date
Application Security and Development Checklist	2014-12-22

Details

Check Text ( C-3036r1_chk )
If the application does not send e-mail, this check is not applicable. If the application sends e-mail, ask for user documentation and test results of e-mail portion of application. Additionally, execute the email portion of the application. If possible, configure mail to send to an established email account. If network configurations prevent actual mail delivery, perform the check by examining the mail in the mail queue. Examine documentation and email output. 1) If any email message contains files with the following extensions (.exe, .bat, .vbs, .reg, .jse, .js, .shs, .vbe, .wsc, .sct, .wsf, .wsh), it is a finding.

Check Text ( C-3036r1_chk )

If the application does not send e-mail, this check is not applicable.

If the application sends e-mail, ask for user documentation and test results of e-mail portion of application. Additionally, execute the email portion of the application. If possible, configure mail to send to an established email account. If network configurations prevent actual mail delivery, perform the check by examining the mail in the mail queue. Examine documentation and email output.

1) If any email message contains files with the following extensions (.exe, .bat, .vbs, .reg, .jse, .js, .shs, .vbe, .wsc, .sct, .wsf, .wsh), it is a finding.

Fix Text (F-17125r1_fix)
Remove executable mobile code from email messages.