[linux-elitists] Re: HTML in e-mail

Jason Lunz lunz@falooley.org
Mon Aug 25 08:50:50 PDT 2003


nick@zork.net said:
> 	Hell, I use antiword, pstotext, and a bunch of other apps to
> make zork turn ALL big ugly incoming attachments into plain text.  If

A point nobody seems to have mentioned is that automatically feeding
every type of weird format that anyone might possibly send you into some
kind of translator is a huge security risk. It may not be a big issue if
folks like you do it here and there (well, unless someone's attacking
you specifically). But if that kind of setup were to become
widespread (say, as part of a RedHat default install), then it would
only take one buffer overflow in some common translator to make a pretty
good email worm akin to these ugly Outlook ones. You wouldn't even need
to open the mail if you had procmail or your MTA translating on
delivery. And how closely do things like antiword or pstotext get
security audited?

This is what I think of whenever people get all smug about linux not
having a virus/worm problem. The time may not be ripe yet, but when
desktops get so "integrated" that the system is "smart" enough to find
the right handler for all kinds of attachments, it'll only be a matter
of time.

or maybe I'm paranoid. But a linux email worm wouldn't need root to
propagate.

Jason




More information about the linux-elitists mailing list