In message <9510231413.AA26514@all.net>, Dr. Frederick B. Cohen writes: [...]
I strongly disagree. If Netscape provided a way to execute shell commands on your host from a remote computer, it would certainly be a hole created by their product. The fact that the default shell is potentially dangerous means it's incumbant on those who provide access to it to provide adequate protection.
They do, add: application/x-shell; sh %s to your .mailcap. They had better stop supporting mailcap alltogether, after all *any* of the programs in there could have buffer overflows, or other security problems. I'll bet some of them even do, anyone want to see if sox (a program that transforms sound files from format to format - frequently used to convert .wav files to .au files) has any overruns in the chunk handling code?
If Netscape wants to claim their product doesn't degrade security, they should provide a safe postscript interpreter or not provide hooks to unsafe ones.
Sure, and they had better find a way to keep us from editing the binary and adding whatever insecure features we may want to their program. obcrypto: mabie it would be a good idea for programs to list problems that are beoynd their control. To many people it may be supprising that anything in their .mailcap could hurt them. To others it is hardly a shock and seeing alot of messages about it tends to get rather boreing, esp. as a few people jump up and down and yell about the Danger To Us All...