Hello Gwen,
> why are we not able to disable previews and tabs of attachments in
> message list by settings?
To disable attachment preview, use the "Attachment auto-preview" option in the
attachment pane popup or "Workspace|Attached files|Attachment auto-preview"
> I am really concerned about security issues related to the attachment
> viewer.
We have tested the code and it's proven to be safe. We've tested against
existing exploits and we see that the exploits don't work with The Bat!
> 1. If attachments are rendered by Chromium CEF, there are always
> security issues in browser viewer part of The Bat!.
Attachments are first converted into safe and simple HTML code, so what
security issues do you see there?
> 3. The Bat!'s XML parser for some data types can be vulnerable.
No security issues were found so far.
> 2. Vulnerability could be the unpacking of compressed
> data.
No security issues were found in the ZIP library so far. Yeah, ZIP bombs may
cause "out of memory" messages, but that's the only bad thing that may happen.
> I think there is a real need of never opening attachments, not even hidden
> internally!, if that is forbidden by The Bat! settings.
Attachments are read in a very similar way as parsing email messages. If the
parsing code is good enough, why should you worry? Parsing emails or images or
protocols is also a potentially vulnerable task if a wrong coding approach is
taken, especially when it comes to cryptography. Just take a look at logged The
Bat! security/vulnerability issues - do you see many found in 25 years?
--
Best regards,
Stefan Tanurkov
'Using TBBETA' information:
http://www.silverstones.com/thebat/TBUDLInfo.html