[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-core-devel
Subject: Re: Werent we talking about trojans on Linux?
From: Karl-Heinz Zimmer <khz () kde ! org>
Date: 2002-10-28 23:34:57
[Download RAW message or body]
On Tuesday 29 October 2002 00:26, Karl-Heinz Zimmer wrote:
> On Tuesday 29 October 2002 00:05, Rinse de Vries wrote:
> > Hi,
> >
> > just received a mail l in kde-i18n-doc with the following link:
> >
http://www.dilbert.com/comics/dilbert/desktop_diversions/images/dilbert_screensaver.zip
> >
> > When pressing this link, KMail automagicly opens 'ark' and starts
> > downloading the compressed file, without any warning...
> >
> > Now what if this was not a zip file, but an .exe file, and I have Wine
> > installed, would kmail call wine and start downloading the 'possible
> > virus' without any warning?
> > Now that is a security hole, isn't it?
>
> Having thought about it again: No, this should not happen.
>
> KMail is not allowed to start WINE without telling you before - that's how
> it is coded.
Ahem, it is night here and my brain will fall asleep soon: forget it,
what happens when you click on this link is NOT controlled by KMail
but by the viewer itself.
So the big question is: Why the hell does the viewer start a download
if it is not an image that's downloaded?
IM(not so)HO this _is_ a security issue and must be investigated!
I would even like to propose to find out about that _before_ releasing 3.1!
Karl-Heinz < Please send follow-ups to kde-core-devel@mail.kde.org >
--
Karl-Heinz Zimmer, Senior Software Engineer, Klarälvdalens Datakonsult AB
<mailto:khz@klaralvdalens-datakonsult.se> <mailto:khz@kde.org>
_________________________________________________________________________
"Why do we have to hide from the police, Daddy?"
"Because we use vi, son. They use emacs." Dave Fischer, 1995/06/19
[Attachment #3 (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic