Are There Any Malware Vulnerabilities in Calibre?

[Book Hunter]

I download ebooks from a variety of sources. A few days ago I noticed a strange .mobi file ebook in my Calibre library. Its title suggested it was a German language dictionary. This is strange, as I am not German and do not speak the language. The creation date of this ebook was around 3 years ago in 2017. It is possible that I downloaded it somewhere by mistake, but I doubt it as I usually check what I download immediately.

I clicked on this ebook and it seemed to do nothing, so I cancelled it after a few seconds. It stated that the file was in use by some Python scripts. I think one of them was called introduction.py. I then clicked again to cancel it.

I then became suspicious and, after some investigation, discovered that ebooks can contain Java Script. This Java Script can contain malware which can exploit vulnerabilities in the host application.

I ran a full scan with Kaspersky Internet Security immediately after this and it reported no malware.

Does Calibre contain any vulnerabilities which can be exploited by Java Script in ebook files? Should I be concerned about my recent experience or could this be something innocent? I am using Calibre version 3.42 running on Windows 10.

[theducks]

You probably had a senior moment (I know they are getting more frequent in my case).
OR
Did you check the CONTENT of the book?
Metadata downloads are not the most accurate things and the VALUE may be wrong.

2017? Is this the Calibre {date} or the file date? The Calibre date is when you ADDED it to C

As to Exploits: None reported that were ACTUAL (some A/V had false positives) in the 9 Years I have been using it,
Also, none of my books contain JS (there is no real need for most books)

[Book Hunter]

No, I did not check the content of the mysterious ebook. It did not display after a few seconds, so I cancelled it. I then deleted it.

2017 is the date the ebook was added to Calibre.

I would just like some assurance that a Java Script included in a downloaded ebook, cannot use Calibre to access personal information on my hard drive and upload it somewhere; or to install malicious applications. I would hope that Calibre functions within a sandbox and no files are read or written to outside of the designated directory.

[kovidgoyal]

All book JavaScript is executed in a sandboxed iframe, which is itself executed inside a sandboxed executable.

[Book Hunter]

Quote:

Originally Posted by kovidgoyal

All book JavaScript is executed in a sandboxed iframe, which is itself executed inside a sandboxed executable.

Thanks for your reply Kovid,

So, just to be sure, does this mean that a Javascript included in a downloaded ebook, cannot use Calibre to access personal information on my hard drive and upload it somewhere; or to install malicious applications?

[Deskisamess]

Quote:

Originally Posted by Book Hunter

Thanks for your reply Kovid,

So, just to be sure, does this mean that a Javascript included in a downloaded ebook, cannot use Calibre to access personal information on my hard drive and upload it somewhere; or to install malicious applications?

If there were these types of vulnerabilities in Calibre, the extremely knowledgeable folks here would be talking about it loud and clear. They also would not be using it.

The knowledge contained on this site is vast, and IMO, (for long time posters) can be trusted.

[kovidgoyal]

Quote:

Originally Posted by Book Hunter

Thanks for your reply Kovid,

So, just to be sure, does this mean that a Javascript included in a downloaded ebook, cannot use Calibre to access personal information on my hard drive and upload it somewhere; or to install malicious applications?

Yes .

[un_pogaz]

Quote:

Originally Posted by Book Hunter

Thanks for your reply Kovid,

So, just to be sure, does this mean that a Javascript included in a downloaded ebook, cannot use Calibre to access personal information on my hard drive and upload it somewhere; or to install malicious applications?

And then if ever, ever such a loophole is found:
Anyone with knowledge of the problem will think about how to fix it and fix it.
The joys of open-source development.

[Book Hunter]

Thank you so much for your replies and reassurance!

I did some research on the internet and some people stated that malware in an ebook was possible, because it could contain javascript. But there seemed to be no actual examples of this having occured.

I've become a lot more security conscious recently, having read all sorts of "horror stories" on the internet of audacious scams and breaches. This is generally a good thing, but it does make me somewhat paranoid at times.

I must have had a premature senior moment with the ebook I downloaded and assumed the worst.