Re: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution
Incoming from David Mandelberg:
> s. keeling wrote:
> > Incoming from Moe:
> >
> >>Martin Schulze wrote:
> >>
> >>> Part 1 Type: C
> >>> Encoding: 8bit
> >>
> >>After all these months/years of warnings to NEVER open email
> >>attachments, why are you sending attachments instead of in-line?
> >
> > People who don't use stupid Windows email clients have no trouble with
> > attachments at all. Attachments are a very useful tool; for instance,
> > for code listings, they arrive unmangled by line wrap.
> >
> > Get a better email client, running on a better OS.
>
> Do you mean to say that opening "message.txt\t\t\t.desktop" which happens to be
> a "freedesktop.org compliant launcher for the program "rm -rf $HOME" is safe
No, I assume people have half a brain in their heads, look at the
attachment type, maybe save it to a file and inspect it, then maybe
look at it or delete it. Too much work? Okay, slap a lot of autoload
crap in your .mailcap and watch your system disappear. You don't
_have_ to look at an attachment if you don't trust it. Write the
person who you got it from and tell them to post it on a website
instead. Then point something sensible like firefox at it.
How often have you seen a "freedesktop.org compliant launcher for the
program "rm -rf $HOME"" anyway? I never have. 'Sound like a
Microsoft Security Update (aka Swen) to me. Okay, it could happen.
That's why I take the time to think about what I'm doing.
> I agree that not opening any attachments is counter-productive and shows
Fear of opening attachments is stupid. It's fear mongering based on
experience with Windows applications' ineptitude.
--
Any technology distinguishable from magic is insufficiently advanced.
(*) http://www.spots.ab.ca/~keeling
- -
Reply to: