As far as I understand: this security hole will work when user double-click an supposedly innocent attachment, expecting that some well-known program (e.g. notepad.exe) will open it, is it right? So it will work only when user is opening an attachement, am I right? Now I'm trying to imagine similar scenario, but working just when email is opened - without opening it's attachments. Let's imagine email in HTML format, with online pictures. Pictures are saved to disk when email is opened to some temp directory, and then displayed in email window (e.g. background image). If (and this is the "IF") active script included into HTML email would access these files on disk, is it possible to execute the same "Active Setup" actions on it? This would allow to execute email attachements "masked" as GIF of JPG pictures put in HTML mail, just when email is opened. "Good Times" goes real? It's just an idea - for Juan Cuartango or Georgi Guminski or anybody else willing to verify it ... Bronek Kozicki PS sorry for my poor English
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:10:11 PDT