'Might it be possible to comment your LinuxSecurity article?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kmail-devel
Subject:    Might it be possible to comment your LinuxSecurity article?
From:       Karl-Heinz Zimmer <khz () kde ! org>
Date:       2002-10-25 16:25:23
[Download RAW message or body]

[Attachment #2 (multipart/mixed)]

Hi Eric,   (I am cc'ing the KMail developers mailing list)

on http://linuxsecurity.com/articles/vendors_products_article-6009.html
you published part of an article by Zac Jensen stating the following:

     (...)    
     In KMail, he decided to view the attachment, thinking it was
     simply an image. He clicks it, nothing happens, no viewer, no
     error, nothing but a few seconds of milling around, and then
     more nothing. Then, the wine notification pops up.
     (...)

As it turned out now, this description of what happened is a bit
inaccurate.

Actually (and Zac stated that this is true) the user did the following:

   * Click on the attachment

   * See an explicit warning dialog (like the one attached to my mail)

   * Click on [Open] - which is *not* the default button of that dialog.

So the difference to the facts described in the text cited on your site
is this:

1. There was an extra _warning_ dialog telling the user explicitely
   that 'WINE' would be used with this attachment if he clicks on Open.

2. The user was explicitely told that doing so might compromise the
   system's security.

I don't know if it is possible to add this statement to your
linuxsecurity.com page, but /if/ it is possible you would do
me a big favor:
I am an enthusiastic :-) KMail developer and I got quite frustrated
by reading this article since we added this warning dialog
_intentionally_ for the very reason to _prevent_ such virus execution.

OTOH we are discussing this issue currently and considering several
measures to make it even MORE unlikely that a virus can do harm,
e.g. by restricting the things that executable attachments are
allowed to do when called by the user from within KMail...

Best greetings from the river Mosel!   (germany)

  Karl-Heinz

-- 
Karl-Heinz Zimmer, Senior Software Engineer, Klarälvdalens Datakonsult AB
<mailto:khz@klaralvdalens-datakonsult.se>            <mailto:khz@kde.org>
_________________________________________________________________________
"Why do we have to hide from the police, Daddy?"   
   "Because we use vi, son.  They use emacs."    Dave Fischer, 1995/06/19
["KMail_Attachment_Open_WARNING.png" (image/png)]
[Attachment #6 (application/pgp-signature)]
_______________________________________________
KMail Developers mailing list
kmail@mail.kde.org
http://mail.kde.org/mailman/listinfo/kmail

[prev in list] [next in list] [prev in thread] [next in thread] 