Search | Directories | Reference Tools
UW Home > Discover UW > IT Connect > Pine Information Center > FAQs 
| Search Pine Information Center

Security

13.1 General Pine Security

Making your system as secure as possible is an important first step to making your applications, including Pine, more secure. The following links provide resources to help you make your system more secure:

CERT Coordination Center
The CERT Coordination Center studies Internet security vulnerabilities, provides incident response services to sites that have been the victims of attack, publishes a variety of security alerts, researches security and survivability in wide-area-networked computing, and develops information to help you improve security at your site.
The World Wide Web Security FAQ
This is the World Wide Web Security Frequently Asked Question list (FAQ). It attempts to answer some of the most frequently asked questions relating to the security implications of running a Web server and using Web browsers.
CIAC (Computer Incident Advisory Capability group)
The CIAC Website provides an extensive, comprehensive resource for diverse computer security issues. These resources are presented in various forms and topics and are available to the public as well as the DOE community.
Center for Education and Research in Information Assurance and Security
Purdue University's center for multidisciplinary research and education in areas of information security (computer security, network security, and communications security), and information assurance. (See also the related COAST web site.)

13.2 How do I get a secure version of PC-Pine?

All versions of PC-Pine include TLS/SSL support. Some versions also are available with Kerberos. Both Kerberos and TLS/SSL require setup on the administrative end.


13.3 Is there a "remote exploit" bug in Pine's handling of mailcap entries?

Many people have inquired about a recent widely-distributed message describing a "remote exploit in pine," specifically, a "vulnerability in the metamail package used with pine" and a claim that the "`" character "is incorrectly expanded by pine."

We believe the following to be true:

We do not agree that the "`" character "is incorrectly expanded by pine." Rather, we believe that Pine correctly implements RFC-1524. However, it is possible to modify Pine to preclude mailcap parameter substitution and thereby avoid mailcap risks at sites where faulty mailcap files may be installed. A patch to do this for Pine 4.10 is available. Obviously, this patch will also break any legitimate mailcap entries that depend on parameter substitution.

While one could modify Pine to guard against the particular exploit permitted by the mailcap entries in question, it is very difficult to conceive of a truly safe "paranoid mode" other than disabling parameter substitution entirely. However, we suspect most people will find it far easier to remove any unsafe entries from their mailcap configuration file.


13.4 Can I get a virus through email?

The answer is, "yes," since email attachments sent to you can be arbitrary programs containing a virus, or they can be documents containing so-called "macro viruses." But remember that viruses are computer programs, which must come as attachments, while electronic mail often consists merely of plain text. You cannot get a virus from a plain text email message, but you can get one from an attachment to a plain email message.

Since most email programs permit users to send "attachments," and these attachments can be executable programs, you need to be careful. Nevertheless, you cannot get a virus from an attachment unless you run the program. Pine will always ask you to confirm that you wish to view an email attachment before doing anything else, such as running a program that views the attachment or even executing the attachment itself (if it is a runnable program file). Remember, if you tell Pine to view an attachment, in many cases the associated application (such as Word) will automatically be run. If in doubt, do not view the attachment. Instead, check it first with a virus checker or just delete it.

Keep in mind, as well, that modern spreadsheet programs and word processing programs have full-featured macro languages, and that some people have written viruses that take advantage of this. For this reason, an attached spreadsheet or document could contain an executable macro program, and that program could conceivably be a virus. To prevent this, you can disable the macro language in your spreadsheet or word processing program. Be aware, though that this might disable useful features, too. (As an alternative to disabling macros in MS Word, try Nancy McGough's tips on Avoiding MS Word Macro Viruses.) Instead, or in addition to this, you can make sure to always use a virus checker. Again, try to only accept files from trusted sources, but take your own precautions as well.

Yahoo! provides lists on virus information.


13.5 What should I do if I receive email about a computer virus?

The Internet is constantly being flooded with information about computer viruses. However, interspersed among real virus notices are computer virus hoaxes. While these hoaxes do not infect systems, the flood of email messages they generate is nevertheless time consuming and costly to handle. Therefore, before broadcasting a warning that you received via email, it would be a good idea to check with trusted computer support people. There are well-developed methods for distributing information about viruses and it would be better for interested people to check with those resources rather than pass on questionable information.

You'll find examples of confirmed hoaxes, information about how to identify a hoax, and what to do when you receive a virus warning at: http://hoaxbusters.ciac.org/

Another useful Web site is the "Computer Virus Myths home page" (http://www.vmyths.com/) which contains descriptions of several known hoaxes. In most cases, common sense would eliminate Internet hoaxes.


13.6 On Win2k, why do I get errors when trying to validate my host name?

There is a problem with pre-SP1 (Service Pack 1) versions of Windows 2000 that causes wildcard SSL certificates to fail. This was actually a design feature in that version, which Microsoft was persuaded to revoke.

| Search Pine Information Center