At 15:47 1995.09.22 -0400, dmandl@panix.com wrote:
On Fri, 22 Sep 1995, Adam Shostack wrote:
I keep hearing this thought. Isn't Win95 with its 'executables in email' much more dangerous than Java, which at least tries to address security?
Is that the new MS-Word you're thinking of? I hear that it lets you imbed macros containing executable code in documents. That's got to be one of the most dangerous ideas ever cooked up.
It's no worse than the other hundreds of products that have macro languages that can write files (even the ones that can't execute other programs are dangerous if they can write a real executable to a file and, say, add a corresponding RUN= line in a WIN.INI or the equivalent to get it executed later). Word's is just more visible because the macro itself can behave like a virus, because of Word's autoexec-macro feature that can make the macro run automatically unless they user disables those options on his copy. Many versions of PostScript have this kind of hole, I understand; some disable the file-manipulation commands to be more secure. I remember hearing recently that Ghostscript, popular on PCs, is one that does have the file-manips, but all of this is hearsay so I can't say for sure. Herb ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Herb Sutter 2228 Urwin, Suite 102 voice (416) 618-0184 Connected Object Solutions Oakville ON Canada L6L 2T2 fax (905) 847-6019