Scripsit ille Tim Hammerquist <tim@vegeta.ath.cx>:
> Rudolf Polzer graced us by uttering:
> > So there *is* something about AOL which is not bad. Thanks for your
> > information!
> 
> I'm sure it wasn't intentional, and I hope this doesn't interfere with
> your opinion of this monolithic cruftball.  ;)

Let's say "better AOL and AOL software than any ISP and OE" ^_^;;

Does the current AOL software still use IE for viewing websites or has
it been fixed? At least AOL has taken over Netscape, so it might be
possible.

> > You also should never open attachments from known senders. Viruses
> > often come from known senders who have you in their address book,
> 
> Good advice, but it's really only really important if you use MS
> Outhouse Distress.

Or MS Windows (.exe, .scr, .pif), MS Office (.doc, .xls, .mbd)...
I just removed Magistr.B from an AOL user's computer. Which is a
PE infecting virus and does not depend on any scripting.

> Most of the popular virii exploit the VBScript features of MSOE's
> internal mail viewer to ransack your address book and spam-infect your
> friends/acquaintances. I don't believe Netscape has such a security
> hole.

I only know Netscape holes which allow *reading* of arbitrary files.
But Messenger does not execute script code in HTML mail by default.

> > so I only open attachments that are safe (image formats are safe) or
> > have been announced or requested. No matter who it's from.
> 
> Again, good advice.  Image formats _are_ safe, despite the recent
> warnings that they've successfully embedded virii in JPG files.

Doesn't that depend on the viewer? But there might really be a buffer
overrun in IE's JPEG decoding routines that allows code to be executed
on viewing a JPEG file. I wouldn't trust IE too much *g* especially when
displaying PNG files (which needs zlib - there was a bug in there, and I
bet most computers with an PNG-capable IE still have the zlib bug). But
I don't know if the zlib bug was even exploitable - it was "just" a
double free().

> Yes, the virus code is inside the file, BUT it has no way of running
> or replicating itself.

One year ago, I read something in alt.comp.virus.source.code about
someone who thought he was a 31337 h4x0r because he wrote an image
viewer that could execute code from JPEG comments. But that's no serious
threat IMHO (except a widely used application has such a backdoor - the
only example of such an application was Quake 2) - and that does not
mean JPEG files are dangerous.

> Anything marked of content-type text/plain is probably ok, so long as
> you don't blindly execute it.

Again: buffer overruns are possible. Netscape 4.5 had one (it crashed
when there was a line >1024 chars and one viewed the source), but I
don't know if they were on the stack and therefore exploitable.

> The biggest dangers are in .EXE, .VBS, or .SCR files, but these are
> only dangers to Windows systems.

ACK.

-- 
In diesem Sinne kannst du's wagen.
Verbinde dich! du sollst in diesen Tagen
Mit Freuden meine K�$(D??nste sehn;
Ich gebe dir, was noch kein Mensch gesehn.