[linux-elitists] Re: HTML in e-mail

Karsten M. Self kmself@ix.netcom.com
Mon Aug 25 16:07:31 PDT 2003


on Mon, Aug 25, 2003 at 03:50:50PM +0000, Jason Lunz (lunz@falooley.org) wrote:
> nick@zork.net said:
> > 	Hell, I use antiword, pstotext, and a bunch of other apps to
> > make zork turn ALL big ugly incoming attachments into plain text.  If
> 
> A point nobody seems to have mentioned is that automatically feeding
> every type of weird format that anyone might possibly send you into some
> kind of translator is a huge security risk. It may not be a big issue if
> folks like you do it here and there (well, unless someone's attacking
> you specifically). But if that kind of setup were to become
> widespread (say, as part of a RedHat default install), then it would
> only take one buffer overflow in some common translator to make a pretty
> good email worm akin to these ugly Outlook ones. You wouldn't even need
> to open the mail if you had procmail or your MTA translating on
> delivery. And how closely do things like antiword or pstotext get
> security audited?
> 
> This is what I think of whenever people get all smug about linux not
> having a virus/worm problem. The time may not be ripe yet, but when
> desktops get so "integrated" that the system is "smart" enough to find
> the right handler for all kinds of attachments, it'll only be a matter
> of time.
> 
> or maybe I'm paranoid. But a linux email worm wouldn't need root to
> propagate.

Sure.

But the problems with the MS LookOut Automated Virus Propogation System
_aren't_ buffer overflows.  It's mandated automatic execution of
untrusted content.

_Most_ GNU/Linux handlers are _not_ randomly executing untrusted
content.  Outside of sandboxes.  With root / administrator privileges.
This _is_ the case in legacy MS Windows.

I do share some of your apprehension.  I feel there's still an order or
two of magitude (sic) difference between the GNU/Linux and legacy MS
Windows cases.

Peace.

-- 
Karsten M. Self <kmself@ix.netcom.com>        http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
   Office Despot: Office Depot embraces Microsoft XP logo requirement.
     http://www.aaxnet.com/editor/edit030.html
     http://www.theinquirer.net/?article=8472
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://allium.zgp.org/pipermail/linux-elitists/attachments/20030826/3019c616/attachment.pgp 


More information about the linux-elitists mailing list