Re: 10.3.2 Important! Disable preview of attachments because of possible vulnerabiliy
Howdy! Вы писали 11 ноября 2022 г., 22:37:04: >> Attachments are first converted into safe and simple HTML code, so what >> security issues do you see there? > Which library does this process? The CEF? Yep! I was ask about. What the technologies do you use it for this converter? Best Regards, George Salnik RitLabs Russian Forum Moderator 'Using TBBETA' information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: 10.3.2 Important! Disable preview of attachments because of possible vulnerabiliy
viernes, 11 nov. 2022 at 12:18, it seems you wrote: > Attachments are first converted into safe and simple HTML code, so what > security issues do you see there? Which library does this process? The CEF? Regards, -- /\ / Using The Bat! x64 10.3.2 Professional + OTFE with iKey1000 / \ / \ / Windows (10.0.19045 ) /\/ e t \/ i c i o u s Plugins: AntiSpamSniper 3.3.5.3 Spanish Translator of The Bat! 'Using TBBETA' information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: 10.3.2 Important! Disable preview of attachments because of possible vulnerabiliy
Hello Gwen, > why are we not able to disable previews and tabs of attachments in > message list by settings? To disable attachment preview, use the "Attachment auto-preview" option in the attachment pane popup or "Workspace|Attached files|Attachment auto-preview" > I am really concerned about security issues related to the attachment > viewer. We have tested the code and it's proven to be safe. We've tested against existing exploits and we see that the exploits don't work with The Bat! > 1. If attachments are rendered by Chromium CEF, there are always > security issues in browser viewer part of The Bat!. Attachments are first converted into safe and simple HTML code, so what security issues do you see there? > 3. The Bat!'s XML parser for some data types can be vulnerable. No security issues were found so far. > 2. Vulnerability could be the unpacking of compressed > data. No security issues were found in the ZIP library so far. Yeah, ZIP bombs may cause "out of memory" messages, but that's the only bad thing that may happen. > I think there is a real need of never opening attachments, not even hidden > internally!, if that is forbidden by The Bat! settings. Attachments are read in a very similar way as parsing email messages. If the parsing code is good enough, why should you worry? Parsing emails or images or protocols is also a potentially vulnerable task if a wrong coding approach is taken, especially when it comes to cryptography. Just take a look at logged The Bat! security/vulnerability issues - do you see many found in 25 years? -- Best regards, Stefan Tanurkov 'Using TBBETA' information: http://www.silverstones.com/thebat/TBUDLInfo.html
10.3.2 Important! Disable preview of attachments because of possible vulnerabiliy
Hello Stefan, why are we not able to disable previews and tabs of attachments in message list by settings? I have disabled opening attachments of Microsoft Office data and other types, but the preview tab is always visible and shows a preview of f.ex. MS documents when accidentally clicked on this tab. This means for me such attachments are internally open and rendered. I am really concerned about security issues related to the attachment viewer. My questions now: how do you protect us The Bat! users from malicious attachments? 1. If attachments are rendered by Chromium CEF, there are always security issues in browser viewer part of The Bat!. And Chromium sandbox is not really a good protection. 2. Vulnerability could be the unpacking of compressed data. Think about a so called ZIP bomb or a compressed archive which is decompressed by a vulnerable zlib (or similar) program lib of The Bat!. 3. The Bat!'s XML parser for some data types can be vulnerable. I think there is a real need of never opening attachments, not even hidden internally!, if that is forbidden by The Bat! settings. Please take some time and explain us why The Bat! is still stay safe related to attachments. -- Regards Gwen Using The Bat! Version 10.3.2 (32-bit) on Windows 10.0 (Build 19045 ) pgpzLTLUSqnqJ.pgp Description: PGP signature 'Using TBBETA' information: http://www.silverstones.com/thebat/TBUDLInfo.html
