Re: unix and email viruses
On Sun, Mar 02, 2008 at 04:32:26PM -0800, David Fox wrote:
> On 3/2/08, Andrew Sackville-West <email@example.com> wrote:
> > The potential hole I see in mutt is not actually a hole in mutt but in
> > various helpers used by mutt users. For example, many of us use w3m or
> > links or some other text browser to dump html messages to plain text
> For that to work, various helper apps would have to be run as root or
> with root privileges.
Not true. A simple 'rm -rf ~' or equivalent could thoroughly devastate
the user whose mail the payload appeared in. A looping shell script
could send out spam or take part in a DDOS attack by sending out mail
or initiating other connections from the compromised user's account.
Neither of these requires root access.
Granted, non-root exploits would only affect the single user's account
rather than the system as a whole, but that makes them no less damaging
to that user.
(And then theres the matter of using a hole in a non-root setting to run
a local root exploit and gain root that way, but that's already been
brought up by someone else.)
News aggregation meets world domination. Can you see the fnews?