[LINK] Freeview Launches In Australia

Rick Welykochy rick at praxis.com.au
Wed Nov 26 11:42:10 AEDT 2008 

Ivan Trundle wrote:

> I was merely seeking confirmation of the way others use and react with 
> e-mail. For a moment, Rick, I thought that you were suggesting that 
> people view e-mails via web browsers, but I see that you imply that 
> e-mail clients now commonly not only render html, but act as a 
> fully-fledged web browser (is this correct?).

Exacto. I was not referring to web-based email.

The way we design software, the components used to render the HTML
and interact with the web client and web server (i.e. Javascript, other
executable crud) are reused.

So, yup, there is a complete web browser built into the email client
that can handle HTML. Scary sounding? It should be, since email is
*THE CONDUIT* to the internet, far out pacing all other internet apps.

By adding a complete web rendering and communication engine to the
email client, you have opened up the email client to that many more
possible exploits. But this is where is gets really nasty. The web
engine is now in a foreign environment where it can access must more that
just "it's sandbox". It can access anything that the email system
can access.

Now let me see. When was the last time you clicked on an ameil attachment
and that attachment launched MS Excel or Word. Or any other application?

Suddenly the web engine with access to all sorts of private information
about you and your surfing habits and cookies and banking information
and (need I go on?) ... it is running out of the sandbox and talk to any
application that an exploiter might care to run on your system.

Bingo!

And as already discuss to death on this list, it don't matter how many
times Windows Vista pops up a dialogue saying

  Do you really want to grant me permission to
  execute the application "1-2-3 Bingo" on your system?

The user merrily clicks OK. Battle lost. Game over.

Have Linkers already forgotten the posting last month that analysed a
phishing exploit from whoa to go?

That exploit installed a fake virus scanner on the system and then used
browser technology from within the email client to request credit card
details and as much more info that it could get and in the background
installed zombie software to start the machine distributing whatever
he zombie controller wished. I would not be surprised if they included
a key logger for free ;)

If you did not read and understand what was going on in that exploit
(one that was launched by clicking on an attachement in your email, like
you do hundreds of times a week) then you should ask yourself if you
are using the Internet in a safe manner.

cheers
rickw


-- 
_________________________________
Rick Welykochy || Praxis Services

You go find out what they need and I'll start coding.
      -- two geeks

More information about the Link mailing list