Re: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution
On Tue, Jan 18, 2005 at 07:14:29PM -0800, Moe wrote: After all these months/years of warnings to NEVER open email attachments, why are you sendinf attachments instead of in-line? Martin Schulze wrote: Part 1 Type: C Encoding: 8bit What mail client are you using, and why does it see an attachment where mutt does not? -- When you say that you agree to a thing in principle, you mean that you have not the slightest intention of carrying it out in practice. -- Otto Von Bismarck -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution
Adam Lydick wrote: Fantastic idea! (as others have said) Have you filed a bug against nautilus (and other shells) to this effect? You might also file one at the various upstream bug tracking systems as well. I'm glad you like it (I do too), but it wasn't my idea. Search the ubuntu-devel list archives at lists.ubuntu.com for the Scary .desktop behaviour thread. I was pondering complicated solutions with alternate stream hacks (like XPSP2 uses), but your suggestion is much simpler and would require minimal changes to the system. On Wed, 2005-01-19 at 06:52 -0500, David Mandelberg wrote: [snip] I'm just suggesting that it should be harder for them to shoot themselves in the foot i.e. by making .desktop's have the x bit before they can be launched. [snip] -- -BEGIN GEEK CODE BLOCK- Version: 3.1 GAT/CM$/CS$/CC/IT$/M/S/O/U dpu s+:++ !a C++$C+++$ UB+++$L$*-- P+++$ L+++()$ E-(---) W+++$ N(+) o? K- w--(---) O? M V? PS++@ PE-@ Y+@ PGP++(+++)$ t? 5? X? R tv--(-) b++(+++)@ DI? D? G e- h* r? z* --END GEEK CODE BLOCK-- David Mandelberg [EMAIL PROTECTED] signature.asc Description: OpenPGP digital signature
Re: .desktop arbitrary program execution (was: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution)
On Wednesday 19 January 2005 04:45, David Mandelberg wrote: Attached. Save to your GNOME/KDE desktop (like many newbies do) and double click the new icon. .desktop files (currently) don't need the x bit set to work, so no chmod'ing is necessary. Hmm, attached a screenshot how every MUA should handle this. With this display, no attachment ever could fake its way into naive[1] users brains. Regards, David [1] naive != stupid attachment: kmail.png
Re: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution
Quoting s. keeling ([EMAIL PROTECTED]): The problem here is the nitwit factor. Yes, well, a bunch of us have been keeping an eye on Linux MUAs and default mailcap behaviour for 10+ years, to make sure zeal for simplicity doesn't lead coders or distro assemblers to do something dumb. Thus my question of the other poster. I wasn't going to hold my breath waiting for a qualifying, valid response of the Why certainly; please have a look at this variety, but much can happen in a wide universe. At that point, appropriate cluebats get deployed, etc. I say again to the original poster, get a better MUA, running on a better OS. Quite. -- Cheers, Hardware: The part you kick. Rick MoenSoftware: The part you boot. [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution
s. keeling wrote: No, I assume people have half a brain in their heads, look at the attachment type, maybe save it to a file and inspect it, then maybe look at it or delete it. Too much work? Whether it's too much work or not, most non-geeks I know don't bother. Okay, slap a lot of autoload crap in your .mailcap and watch your system disappear. You don't _have_ to look at an attachment if you don't trust it. I know, but if it looks like a text document to a newbie, they probably would open it anyway. I'm just suggesting that it should be harder for them to shoot themselves in the foot i.e. by making .desktop's have the x bit before they can be launched. -- -BEGIN GEEK CODE BLOCK- Version: 3.1 GAT/CM$/CS$/CC/IT$/M/S/O/U dpu s+:++ !a C++$C+++$ UB+++$L$*-- P+++$ L+++()$ E-(---) W+++$ N(+) o? K- w--(---) O? M V? PS++@ PE-@ Y+@ PGP++(+++)$ t? 5? X? R tv--(-) b++(+++)@ DI? D? G e- h* r? z* --END GEEK CODE BLOCK-- David Mandelberg [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution
* s. keeling: People who don't use stupid Windows email clients have no trouble with attachments at all. Attachments are a very useful tool; for instance, for code listings, they arrive unmangled by line wrap. Get a better email client, running on a better OS. You mean the OS whose users invented shell archives and unshar? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution
Incoming from Florian Weimer: * s. keeling: People who don't use stupid Windows email clients have no trouble with attachments at all. Attachments are a very useful tool; for instance, for code listings, they arrive unmangled by line wrap. Get a better email client, running on a better OS. You mean the OS whose users invented shell archives and unshar? Yes, the one that was smart enough to learn from mistakes like that. The one he's using still thinks that kind of behaviour is a feature. -- Any technology distinguishable from magic is insufficiently advanced. (*)http://www.spots.ab.ca/~keeling Please don't Cc: me. - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution
On Wed, Jan 19, 2005 at 06:52:17AM -0500, David Mandelberg wrote: I'm just suggesting that it should be harder for them to shoot themselves in the foot i.e. by making .desktop's have the x bit before they can be launched. I strongly agree. No, I STRONGLY agree! If they are to be marked executable, those .desktop files should have a #! so that they aren't fed to the shell. Unfortunately it would be a bit difficult to apply that change retrospectively, however an upgrade script could take care of it. It's no good saying the stupid user shouldn't click on the file. It is very easy even for an experienced user to do something like this by mistake. We want to make Debian's desktop safe for inexperienced people (and children) to use. I think the X bit is unix's single most important security feature. No program should ever be executed without it! (jailed scripts excepted) I should be able to download anything off the web and double click on it without any possibility that it will run some arbitrary script. If it is supposed to be an executable program, I should have to chmod +x it before it will run. A gui could provide a more user-friendly way to do this - possibly a pop-up when you click such a file that warns about viruses, asks if you want to mark the program executable, and if yes, tells you to double-click again to run it. We should also make sure that executables within archives cannot easily be activated through a VFS, but only after unpacking the archive. It would be better if the GUI archiver programs did not set the X bit for unpacked files by default. This reminds me of the time a few years ago, when someone put a mailcap entry for .exe files to launch wine in Debian. I noticed this when I accidentally pressed enter at the wrong time in mutt, and it started to run an .exe. That was very very bogus. Now someone has added an wrapper that asks you if you want to run the .exe We must not allow Windoze's document / program dyslexia to infect Unix!! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution
Martin Schulze wrote: This message was modified by F-Secure Anti-Virus E-Mail Scanning. This is what F-Secure gave me. Martin do you send viruses? ;) Sebastian -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution
test tir, 18,.01.2005 kl. 10.41 +0100, skrev Martin Schulze: plain text document-vedlegg -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 644-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze January 18th, 2005 http://www.debian.org/security/faq - -- Package: chbg Vulnerability : buffer overflow Problem-Type : local Debian-specific: no CVE ID : CAN-2004-1264 Debian Bug : 285904 Danny Lungstrom discoverd a vulnerability in chbg, a tool to change background pictures. A maliciously crafted configuration/scenario file could overflow a buffer and lead to the execution of arbitrary code on the victim's machine. For the stable distribution (woody) this problem has been fixed in version 1.5-1woody1. For the unstable distribution (sid) this problem has been fixed in version 1.5-4. We recommend that you upgrade your chbg package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/c/chbg/chbg_1.5-1woody1.dsc Size/MD5 checksum: 600 3cb28b61fb97dca63f09a486dae5612f http://security.debian.org/pool/updates/main/c/chbg/chbg_1.5-1woody1.diff.gz Size/MD5 checksum: 3612 08098cf0fec406380e968186766de027 http://security.debian.org/pool/updates/main/c/chbg/chbg_1.5.orig.tar.gz Size/MD5 checksum: 322878 4a158c94c25b359c86da1de9ef3e986b Alpha architecture: http://security.debian.org/pool/updates/main/c/chbg/chbg_1.5-1woody1_alpha.deb Size/MD5 checksum: 294456 afd6ce377d43c0df909d955e04c328cd ARM architecture: http://security.debian.org/pool/updates/main/c/chbg/chbg_1.5-1woody1_arm.deb Size/MD5 checksum: 247338 878c528ab81decd999503ad47557fc4a Intel IA-32 architecture: http://security.debian.org/pool/updates/main/c/chbg/chbg_1.5-1woody1_i386.deb Size/MD5 checksum: 244862 d3a09b86dfc44164c541cda2eb66ce66 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/c/chbg/chbg_1.5-1woody1_ia64.deb Size/MD5 checksum: 345228 e4b9ae6b9da9c34d5a930727bdfc1a44 HP Precision architecture: Cannot be updated due to compiler error. Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/c/chbg/chbg_1.5-1woody1_m68k.deb Size/MD5 checksum: 222916 7dce4c0b3ae27f624ee472bd153d5c66 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/c/chbg/chbg_1.5-1woody1_mips.deb Size/MD5 checksum: 249054 66402b53b158bfa0b2144b6b97b1d794 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/c/chbg/chbg_1.5-1woody1_mipsel.deb Size/MD5 checksum: 247536 769f5074ad1f4b148191d0e196d01778 PowerPC architecture: http://security.debian.org/pool/updates/main/c/chbg/chbg_1.5-1woody1_powerpc.deb Size/MD5 checksum: 271272 f6b03b2a05de42ee203d7d9cbfe7c468 IBM S/390 architecture: http://security.debian.org/pool/updates/main/c/chbg/chbg_1.5-1woody1_s390.deb Size/MD5 checksum: 239098 f20c7b0e36ecfc4540d3673f4ec477dd Sun Sparc architecture: http://security.debian.org/pool/updates/main/c/chbg/chbg_1.5-1woody1_sparc.deb Size/MD5 checksum: 263302 28df5318e314bbaf79493b485aa6cffa These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFB7NmrW5ql+IAeqTIRAmUEAKCLSpd0/8eiiFhfymdRCV70pS6p9QCfUIfW JmmWy3Pi87ZjfreLomQQIls= =WpPd -END PGP SIGNATURE-
Re: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution
After all these months/years of warnings to NEVER open email attachments, why are you sendinf attachments instead of in-line? Martin Schulze wrote: Part 1 Type: C Encoding: 8bit -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution
Incoming from Moe: Martin Schulze wrote: Part 1 Type: C Encoding: 8bit After all these months/years of warnings to NEVER open email attachments, why are you sending attachments instead of in-line? People who don't use stupid Windows email clients have no trouble with attachments at all. Attachments are a very useful tool; for instance, for code listings, they arrive unmangled by line wrap. Get a better email client, running on a better OS. -- Any technology distinguishable from magic is insufficiently advanced. (*)http://www.spots.ab.ca/~keeling Please don't Cc: me. - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution
s. keeling wrote: Incoming from Moe: Martin Schulze wrote: Part 1 Type: C Encoding: 8bit After all these months/years of warnings to NEVER open email attachments, why are you sending attachments instead of in-line? People who don't use stupid Windows email clients have no trouble with attachments at all. Attachments are a very useful tool; for instance, for code listings, they arrive unmangled by line wrap. Get a better email client, running on a better OS. Do you mean to say that opening message.txt\t\t\t.desktop which happens to be a freedesktop.org compliant launcher for the program rm -rf $HOME is safe because it's designed for people running one of the F/OSS products GNOME or KDE on a F/OSS OS? I agree that not opening any attachments is counter-productive and shows paranoia, but we shouldn't feel that just because F/OSS is better than e.g. MS Windows it's infinitely better. -- -BEGIN GEEK CODE BLOCK- Version: 3.1 GAT/CM$/CS$/CC/IT$/M/S/O/U dpu s+:++ !a C++$C+++$ UB+++$L$*-- P+++$ L+++()$ E-(---) W+++$ N(+) o? K- w--(---) O? M V? PS++@ PE-@ Y+@ PGP++(+++)$ t? 5? X? R tv--(-) b++(+++)@ DI? D? G e- h* r? z* --END GEEK CODE BLOCK-- David Mandelberg [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution
Quoting David Mandelberg ([EMAIL PROTECTED]): Do you mean to say that opening message.txt\t\t\t.desktop which happens to be a freedesktop.org compliant launcher for the program rm -rf $HOME is safe because it's designed for people running one of the F/OSS products GNOME or KDE on a F/OSS OS? Please advise this mailing list of which specific Linux or BSD MUA (or specific configuration thereof) is willing to execute a received binary or script attachment. I'll very interested to read your specific report that details an actual, reproducible test. In anticipation, Rick M. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution
Can you please OT: this Regards Denis O'Toole Moe wrote: After all these months/years of warnings to NEVER open email attachments, why are you sendinf attachments instead of in-line? Martin Schulze wrote: Part 1 Type: C Encoding: 8bit -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: .desktop arbitrary program execution (was: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution)
Rick Moen wrote: Quoting David Mandelberg ([EMAIL PROTECTED]): Do you mean to say that opening message.txt\t\t\t.desktop which happens to be a freedesktop.org compliant launcher for the program rm -rf $HOME is safe because it's designed for people running one of the F/OSS products GNOME or KDE on a F/OSS OS? Please advise this mailing list of which specific Linux or BSD MUA (or specific configuration thereof) is willing to execute a received binary or script attachment. I'll very interested to read your specific report that details an actual, reproducible test. Attached. Save to your GNOME/KDE desktop (like many newbies do) and double click the new icon. .desktop files (currently) don't need the x bit set to work, so no chmod'ing is necessary. This one is pretty harmless (it just echo's rm -rf $HOME and pauses), but if it had Terminal=false, had the OOo writer icon, a title of something.sxw and actually rm -rf'd $HOME, it would look like a broken OOo document while cleaning some poor newbie's $HOME. -- -BEGIN GEEK CODE BLOCK- Version: 3.1 GAT/CM$/CS$/CC/IT$/M/S/O/U dpu s+:++ !a C++$C+++$ UB+++$L$*-- P+++$ L+++()$ E-(---) W+++$ N(+) o? K- w--(---) O? M V? PS++@ PE-@ Y+@ PGP++(+++)$ t? 5? X? R tv--(-) b++(+++)@ DI? D? G e- h* r? z* --END GEEK CODE BLOCK-- David Mandelberg [EMAIL PROTECTED] message.txt .desktop Description: application/desktop
Re: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution
Incoming from David Mandelberg: s. keeling wrote: Incoming from Moe: Martin Schulze wrote: Part 1 Type: C Encoding: 8bit After all these months/years of warnings to NEVER open email attachments, why are you sending attachments instead of in-line? People who don't use stupid Windows email clients have no trouble with attachments at all. Attachments are a very useful tool; for instance, for code listings, they arrive unmangled by line wrap. Get a better email client, running on a better OS. Do you mean to say that opening message.txt\t\t\t.desktop which happens to be a freedesktop.org compliant launcher for the program rm -rf $HOME is safe No, I assume people have half a brain in their heads, look at the attachment type, maybe save it to a file and inspect it, then maybe look at it or delete it. Too much work? Okay, slap a lot of autoload crap in your .mailcap and watch your system disappear. You don't _have_ to look at an attachment if you don't trust it. Write the person who you got it from and tell them to post it on a website instead. Then point something sensible like firefox at it. How often have you seen a freedesktop.org compliant launcher for the program rm -rf $HOME anyway? I never have. 'Sound like a Microsoft Security Update (aka Swen) to me. Okay, it could happen. That's why I take the time to think about what I'm doing. I agree that not opening any attachments is counter-productive and shows Fear of opening attachments is stupid. It's fear mongering based on experience with Windows applications' ineptitude. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: .desktop arbitrary program execution (was: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution)
Quoting David Mandelberg ([EMAIL PROTECTED]): Attached. Save to your GNOME/KDE desktop (like many newbies do) and double click the new icon. .desktop files (currently) don't need the x bit set to work, so no chmod'ing is necessary. I'm sorry, but the question was: Please advise this mailing list of which specific Linux or BSD MUA (or specific configuration thereof) is willing to execute a received binary or script attachment. I'll very interested to read your specific report that details an actual, reproducible test. You appear to have answered some question I didn't ask. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution
Incoming from Rick Moen: Quoting David Mandelberg ([EMAIL PROTECTED]): Do you mean to say that opening message.txt\t\t\t.desktop which happens to be a freedesktop.org compliant launcher for the program rm -rf $HOME is safe because it's designed for people running one of the F/OSS products GNOME or KDE on a F/OSS OS? Please advise this mailing list of which specific Linux or BSD MUA (or specific configuration thereof) is willing to execute a received binary Hi Rick. :-) Well, even mutt will, if you turn on autoload crap in .muttrc and load up your .mailcap with stupid helper apps. Out of the box, no, mutt doesn't do that. -- Any technology distinguishable from magic is insufficiently advanced. (*)http://www.spots.ab.ca/~keeling Please don't Cc: me. - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution
Quoting s. keeling ([EMAIL PROTECTED]): Well, even mutt will, if you turn on autoload crap in .muttrc and load up your .mailcap with stupid helper apps. Out of the box, no, mutt doesn't do that. Ja. We might call the .mailcap scenario the aim-gun-at-my-foot-please mutt extension. Maybe someone can file an ITP for it, as package mutt-fod (for Friends of Darwin). ;- -- Cheers, Hardware: The part you kick. Rick MoenSoftware: The part you boot. [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution
Incoming from Denis O'Toole: Can you please OT: this Hint: the d key will probably do this for you. Please stop interfering with discussions of insecure applications on debian-security. TVM. :-) -- Any technology distinguishable from magic is insufficiently advanced. (*)http://www.spots.ab.ca/~keeling Please don't Cc: me. - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: .desktop arbitrary program execution (was: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution)
On Tue, 18 Jan 2005, David Mandelberg wrote: Save to your GNOME/KDE desktop (like many newbies do) and double click the new icon. .desktop files (currently) don't need the x bit set to work, so no chmod'ing is necessary. that'd be dumb of the user This one is pretty harmless (it just echo's rm -rf $HOME and pauses), but if it had Terminal=false, had the OOo writer icon, a title of something.sxw and actually rm -rf'd $HOME, it would look like a broken OOo document while cleaning some poor newbie's $HOME. that be even dumber of the user .. and it is a known problem from 15-20 years ago .. - don't click or execute commands you do nto know what it will be doing - even simple things like ls, tar, cat can be renamed ( cracked ) to something more painful - it not a security issue ... and is unsolvable, not preventable if you click on things or execute commands manully - the super paranoid might be using encrypted fs with md5 of their commands before executing cat foo c ya alvin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution
Incoming from Rick Moen: Quoting s. keeling ([EMAIL PROTECTED]): Well, even mutt will, if you turn on autoload crap in .muttrc and load up your .mailcap with stupid helper apps. Out of the box, no, mutt doesn't do that. Ja. We might call the .mailcap scenario the aim-gun-at-my-foot-please Ha! The problem here is the nitwit factor. Nitwits who are deathly afraid of having to think about what to do with some obscure file format, want their app/OS to just fscking handle it and do the right thing. Well, what app/OS is well known for that sort of behaviour? And what are the generally expected repercussions? Oh yes. Lookout! and Internet Exploder, and consequently enabled viruses, worms, trojans, spambots, spyware, ... I say again to the original poster, get a better MUA, running on a better OS. I've no sympathy for your present situation. Attachments are a valuable feature that your system is unable to take advantage of. We don't have that problem here. That's why we run Debian. -- Any technology distinguishable from magic is insufficiently advanced. (*)http://www.spots.ab.ca/~keeling Please don't Cc: me. - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
