At 5:45 PM -0700 8/29/03, Allyn Weaks wrote:
>On 29/8/2003, Rob Saecker wrote many sensible things:
>
>But makes an all too common mistake:
>
>>Nevertheless, there has to be an executable file (which has to
>>be executed) for infection to occur. And there is no way to include
>>an executable file in the body (text) of an email, it has to be an
>>attachment. An email with no attachment cannot spread a virus.
>
>klez and it's cousins are the counter example. Klez doesn't use an
>attachment, it uses HTML to execute javascript, which is used to
>obfuscate calls to active-x, which allows you to run any code on the
>target machine. This is one of several ways to get caught by trojans
>at web sites, too. (By the way, MS announced 5 new security holes in
>Explorer for windows this week; windows users need to go get the
>updates pronto if you haven't. Since many mail clients use the
>Explorer rendering engine to display html, bugs in explorer translate
>to bugs in the mail client.)

Ah, yes. I stand corrected.
--
Rob Saecker
rsaecker at thurston.com