Re: [Evolution] Security Issues

From: Dan Winship <danw helixcode com>
To: warthawg blackhat net
Cc: evolution helixcode com
Subject: Re: [Evolution] Security Issues
Date: Tue, 18 Jul 2000 14:01:36 -0400

How will the way Evolution handles scripts/html/executables
be different than that of Outlook/Outlook Express?


HTML: GtkHTML does not currently support javascript. If it does in the
future, Evolution will disable that. Evolution does not currently
fetch remote images in HTML message bodies, because that can be used
by spammers to verify that you've received the message. (At some
point, it will be possible to tell Evolution "ok, load the images",
but currently there's no way to do it.)

Scripts/executables: Evolution does not and will not have the ability
to run scripts/executables attached to messages. There is the problem
of, eg, an Excel document with a malicious VB script in it. This needs
to be dealt with by the app being used to display the attachment. (In
this case, Gnumeric, which will use GNOME BASIC to safely run the VB
script without damage to your environment.) But this means that any
program used to display an attachment needs to be audited to make sure
it's safe against malicious data.

-- Dan

References:
- [Evolution] Security Issues
  - From: Joe Barr

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]