Displaying warning dialogs in browsers and using default settings so as not to auto run macros are only bandages to this problem. Consider the following: By using API routines to access the Win95 registry, someone writes a macro virus (or even just a garden variety trojan) that turns off the warning levels for MSIE which are stored in the registry (I haven't had time to look, but I'm assuming they're there). The user has no idea the setting has been changed, and is never warned when evil, malicious, unsigned code is executed. Until too late. The registry, or whatever file you're saving state values to, should have some form of write authorization associated with it. Encryption would also be extremely nice for privacy's sake (check out a Windows .INI file or registry entry some time, and see what little tidbits of information are being stored there). In my experience, one of Microsoft's main problems when it comes to security has been its developers and program/product managers don't think like "bad guys" when it comes to design and subsequent exploits and holes. Unfortunately, the user is the ultimate loser. Joel BTW - The paranoid side of me wouldn't be surprised to see PC "espionage-enabled" viruses and trojans within the next few years. Their main purpose would be to either disable or patch various security features for later attacks, or directly snatch information off of hard drives and send it out over the Net. I know of a few lab projects of a similar nature, that were very easy to implement.

Date: Thu, 22 Aug 1996 15:49:33 -0700 From: Thomas Reardon <thomasre@MICROSOFT.com> Subject: Re: Internet Explorer security problem (Felten, RISKS-18.36)

...

We have discovered a security flaw in the current version (3.0) of Microsoft's Internet Explorer browser running under Windows 95. An attacker could exploit the flaw to run any DOS command on the machine of an Explorer user who visits the attacker's page.

We now post the virus warning dialog on local files (file: urls). We have always posted it on remote files (http: urls). Note that the root of the problem is not Java or the browser, but in macro-enabled applications. IE3 has a mechanism to warn users about safety of documents when used with common macro-enabled applications. We are have updated Microsoft Word such that by default it will not run macros embedded in documents.

-Thomas