.desktop files, serious security hole, virus-friendliness

Sam Watkins sam at nipl.net
Fri Apr 7 13:37:33 EEST 2006

On Wed, Apr 05, 2006 at 11:13:00PM +0100, Mike Hearn wrote:
> On Tue, 04 Apr 2006 20:02:49 -0700, Sam Watkins wrote:
> > This would be too difficult to implement given the enormous variety of
> > e-mail clients and browsers.
> Whilst there are many, there are only a few likely to be used by those at
> risk of being fooled by a lying .desktop file so this idea is certainly
> tractable and is a variant of the EA scheme that Francois came up with.


I personally use mutt as an email client.

Not very many years ago, I was looking at an email, and accidentally
pressed "enter" which viewing a list of attachements.

due to a moronic mailcap entry added by a wine developer or packager,
wine started trying to execute the .exe file which was a virus attached
to this email.  happily wine takes a while to start up and I realised
what was going on.

I don't consider myself easy to fool.  Nor is mutt the email client you
might expect to be used by gullible people.

The fact is it's VERY EASY to get viruses just by accident, you don't
have to be especially foolish, just to click or press enter in the wrong
place at the wrong time.

To many people blame "silly users" for the propogation of viruses,
rather than the stupid design of the Windows OS which lets you run any
executable straight off the internet.  The OS is at fault, not the

> I'd still like .desktop files to not be able to impersonate document types
> BUT preventing browsers/email clients from saving them is a fine
> substitute given I can't think of a legitimate reason to do such a thing.

I don't agree.  The place to solve this problem is at the center, in the
OS's handling of desktop files where the fault actually is.
We shouldn't have to deal with it again and again for every mail reader,
news reader, browser, file-transfer client, chat program, etc., etc.


More information about the xdg mailing list