At 11:44 PM 9/8/2003 -0500, you wrote:
>On Mon, 8 Sep 2003, Mark A. Hershberger wrote:
> > Dustin Puryear <dpuryear@usa.net> writes:
> >
> > > Advanced email software like Evolution has had flaws, and these flaws
> > > will be attacked more and more as there are more Linux end-users.
> >
> > What sort of exploitable flaws does Evolution have? How would the
> > exploitation of those flaws be similar to the exploits for Outlook if
> > everyone ran Evolution?
>
>I'm convinced that Joe User will click anything that says 'Click Me',
>regardless of his OS or mail client. To see if Kmail was really more
>secure, i sent myself a bash, perl, and compiled C program as attachments.
> >From Kmail, just clicking around, there was no way to execute them.
>Attempts to "open" just opened the source in Emacs. There was no way to
>run them, which is good. All MUAs should be like this, since obviously
>most people are too dumb to have a smart mail client.
I absolutely agree! At worst show a warning like "You are about to do a
very, very dangerous thing. Are you sure?" and then possibly a "So when you
said Yes to being sure, were you sure you meant Yes? Or did you in fact
mean No? I would think you meant No. Right?" Better yet, require the user
to save the file to disk using a Save As and then perform the operation.
No automatic execution.
--- Dustin Puryear <dustin@puryear-it.com> Puryear Information Technology, LLC <http://www.puryear-it.com> Providing expertise in the management, integration, and security of Windows and UNIX systems, networks, and applications. ___________________ Nolug mailing list nolug@nolug.orgReceived on 09/09/03
This archive was generated by hypermail 2.2.0 : 12/19/08 EST