![]() |
#1 |
Junior Member
![]() Posts: 6
Karma: 10
Join Date: Feb 2020
Location: U.K.
Device: Kindle
|
Are There Any Malware Vulnerabilities in Calibre?
I download ebooks from a variety of sources. A few days ago I noticed a strange .mobi file ebook in my Calibre library. Its title suggested it was a German language dictionary. This is strange, as I am not German and do not speak the language. The creation date of this ebook was around 3 years ago in 2017. It is possible that I downloaded it somewhere by mistake, but I doubt it as I usually check what I download immediately.
I clicked on this ebook and it seemed to do nothing, so I cancelled it after a few seconds. It stated that the file was in use by some Python scripts. I think one of them was called introduction.py. I then clicked again to cancel it. I then became suspicious and, after some investigation, discovered that ebooks can contain Java Script. This Java Script can contain malware which can exploit vulnerabilities in the host application. I ran a full scan with Kaspersky Internet Security immediately after this and it reported no malware. Does Calibre contain any vulnerabilities which can be exploited by Java Script in ebook files? Should I be concerned about my recent experience or could this be something innocent? I am using Calibre version 3.42 running on Windows 10. |
![]() |
![]() |
![]() |
#2 |
Well trained by Cats
![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Posts: 30,027
Karma: 57259778
Join Date: Aug 2009
Location: The Central Coast of California
Device: Kobo Libra2,Kobo Aura2v1, K4NT(Fixed: New Bat.), Galaxy Tab A
|
You probably had a senior moment
![]() OR Did you check the CONTENT of the book? Metadata downloads are not the most accurate things ![]() 2017? Is this the Calibre {date} or the file date? The Calibre date is when you ADDED it to C As to Exploits: None reported that were ACTUAL (some A/V had false positives) in the 9 Years I have been using it, Also, none of my books contain JS (there is no real need for most books) |
![]() |
![]() |
Advert | |
|
![]() |
#3 |
Junior Member
![]() Posts: 6
Karma: 10
Join Date: Feb 2020
Location: U.K.
Device: Kindle
|
No, I did not check the content of the mysterious ebook. It did not display after a few seconds, so I cancelled it. I then deleted it.
2017 is the date the ebook was added to Calibre. I would just like some assurance that a Java Script included in a downloaded ebook, cannot use Calibre to access personal information on my hard drive and upload it somewhere; or to install malicious applications. I would hope that Calibre functions within a sandbox and no files are read or written to outside of the designated directory. |
![]() |
![]() |
![]() |
#4 |
creator of calibre
![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Posts: 44,050
Karma: 22669822
Join Date: Oct 2006
Location: Mumbai, India
Device: Various
|
All book JavaScript is executed in a sandboxed iframe, which is itself executed inside a sandboxed executable.
|
![]() |
![]() |
![]() |
#5 | |
Junior Member
![]() Posts: 6
Karma: 10
Join Date: Feb 2020
Location: U.K.
Device: Kindle
|
Quote:
So, just to be sure, does this mean that a Javascript included in a downloaded ebook, cannot use Calibre to access personal information on my hard drive and upload it somewhere; or to install malicious applications? |
|
![]() |
![]() |
Advert | |
|
![]() |
#6 | |
Wizard
![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Posts: 2,633
Karma: 43070209
Join Date: Sep 2012
Location: Ohio
Device: iPhone 7+, iPad mini, 2021 iPad Pro 12.9",Paperwhite 6.8"
|
Quote:
The knowledge contained on this site is vast, and IMO, (for long time posters) can be trusted. Last edited by Deskisamess; 03-01-2020 at 10:46 AM. |
|
![]() |
![]() |
![]() |
#7 |
creator of calibre
![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Posts: 44,050
Karma: 22669822
Join Date: Oct 2006
Location: Mumbai, India
Device: Various
|
|
![]() |
![]() |
![]() |
#8 | |
Chalut o/
![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Posts: 411
Karma: 145324
Join Date: Dec 2017
Device: Kobo
|
Quote:
Anyone with knowledge of the problem will think about how to fix it and fix it. The joys of open-source development. |
|
![]() |
![]() |
![]() |
#9 |
Junior Member
![]() Posts: 6
Karma: 10
Join Date: Feb 2020
Location: U.K.
Device: Kindle
|
Thank you so much for your replies and reassurance!
I did some research on the internet and some people stated that malware in an ebook was possible, because it could contain javascript. But there seemed to be no actual examples of this having occured. I've become a lot more security conscious recently, having read all sorts of "horror stories" on the internet of audacious scams and breaches. This is generally a good thing, but it does make me somewhat paranoid at times. I must have had a premature senior moment with the ebook I downloaded and assumed the worst. Last edited by Book Hunter; 03-03-2020 at 04:39 AM. |
![]() |
![]() |
![]() |
|
![]() |
||||
Thread | Thread Starter | Forum | Replies | Last Post |
Calibre 2.40 +mac = malware? | jkeidan | Calibre | 7 | 11-27-2015 01:39 AM |
Malware or Ad I can ignore? | GeekyGal | Calibre | 9 | 11-16-2012 04:27 PM |
Protection from malware? | 49Kat | Kobo Tablets | 6 | 11-09-2011 06:14 PM |
Development Known Security Vulnerabilities | jcase | enTourage Archive | 27 | 08-16-2010 06:55 PM |
Macinstosh Dashboard Opens Security Vulnerabilities | Bob Russell | Lounge | 0 | 05-09-2005 11:40 AM |