On Fri, 11 Apr, 2014 at 8:03 AM, marc garrett
<[email protected]> wrote:
This is only just science fiction. Even the earliest viruses often
displayed messages and malware that denies access to your data until
you pay to decrypt it already exist. ePub ebooks can execute
arbitrary JavaScript, and PDF documents can execute arbitrary shell
scripts. Compromised PDFs have been found in the wild. Stross's
weaponized ebooks are not more than one step ahead of this.
http://www.furtherfield.org/features/articles/vampire-digital-art
This came up in a private discussion, but it's an interesting issue so
I thought I'd address it publicly.
There are no known epub javaScript security exploits in the wild (a
point "Vampire Digital Art" makes by omission after mentioning PDF
exploits).
That said, the epub standard doesn't mandate any restrictions on code
execution other than scope within the book (specific reader software
may restrict programmatic network access). And from discussions of the
standard on blogs and discussions of browser (not ereader) JavaScript
exploits on StackOverflow I can see how to do an in-book extortion
scheme, how to download and execute arbitrary code, and how to target
specific devices with buffer overflows. I'm not *going* to, but as
someone who has to consider security in their work as a software
developer I can see how to.
I feel that this makes the innuendo of "ePub ebooks can execute
arbitrary JavaScript" defensible.
However if it isn't then I mention ebooks more to support Stross's
thesis than to start my own, and there's still the example of PDF files.
_______________________________________________
NetBehaviour mailing list
[email protected]
http://www.netbehaviour.org/mailman/listinfo/netbehaviour
