Re: unix and email viruses

[Dave Sherohman <dave@sherohman.org>]

On Sun, Mar 02, 2008 at 04:32:26PM -0800, David Fox wrote:
> On 3/2/08, Andrew Sackville-West <andrew@farwestbilliards.com> wrote:
> > The potential hole I see in mutt is not actually a hole in mutt but in
> > various helpers used by mutt users. For example, many of us use w3m or
> > links or some other text browser to dump html messages to plain text
> 
> For that to work, various helper apps would have to be run as root or
> with root privileges.

Not true.  A simple 'rm -rf ~' or equivalent could thoroughly devastate
the user whose mail the payload appeared in.  A looping shell script
could send out spam or take part in a DDOS attack by sending out mail
or initiating other connections from the compromised user's account.
Neither of these requires root access.

Granted, non-root exploits would only affect the single user's account
rather than the system as a whole, but that makes them no less damaging
to that user.

(And then theres the matter of using a hole in a non-root setting to run
a local root exploit and gain root that way, but that's already been
brought up by someone else.)

-- 
News aggregation meets world domination.  Can you see the fnews?
http://seethefnews.com/