Pierre Abbat wrote:
An HTML message can contain a JavaScript program, or an iframe with an executable in it. Klez spreads by sending HTML messages with executables in iframes, though Klez is filtered out before it reaches my inbox.
Well, any mail client that allows that is clearly broken. Correct JavaScript implementations should not be a security risk, but it's probably best not to have JavaScript enabled in your mailreader anyway.
-Mark