Hmmm, Windows has the ability to write a script that ANYONE can run that
will delete the disk. Hmmm. Why should a Word Processor EVER have the
ability to make system calls?
It IS a MS problem, they should not allow any indescriminate user to run
format or del *.* . IF you don't want a child to shoot themselves, don't
give them a gun to play with.
UNIX/Linux has the ability to say.. "Hey, you can't do that!" with a
simple feature like file permissions and file ownership. Why hasn't MS
followed suit with these basic security precaustions? Half the viruses in
the world would become obsolete with this one patch.
Paul D. Farber II
Farber Technology
Ph. 570-628-5303
Fax 570-628-5545
[EMAIL PROTECTED]
On 30 Mar 1999, Russ Allbery wrote:
> Kai MacTane <[EMAIL PROTECTED]> writes:
>
> > Sort of. The problem isn't really the MUAs so much as the user
> > behaviors: the user has to explicitly activate the virus-attachment. I
> > don't know of any Windows MUAs that *automatically* run any attachment
> > they receive -- even Windows users would consider that a security
> > risk. In general in the Windows world, when you open an attachment, the
> > MUA tells the OS to load the appropriate app for viewing files of that
> > type (where "type" is determined solely by filename extension, of
> > course, rather than something sane like header info).
>
> I'd like to back this up, and point out here that too much Microsoft
> bashing on this one is misplaced. This particular attack is not
> Microsoft-specific in any way other than having happened to be written
> against a widely used Microsoft applciation; the property that it needs to
> be effective is a document viewer with an embedded macro language in which
> macros are executed by default.
>
> You could run precisely this same attack against a Unix user with, for
> example, a DVI document. The DVI formatting language allows for shell
> escapes, and xdvi knows how to execute them. This capability is, of
> course, not the default; you have to run xdvi with a special command-line
> option to tell it that it's safe to do this.
>
> Now, I'm not a Word user, so I don't know for sure, but I've at least
> heard that automatic execution of macros in Word documents is *off* by
> default. Extrapolating from that, however, I would imagine that Word
> probably pops up a warning dialog box, and users get tired of saying "yes,
> it's okay."
>
> In other words, to be blunt, this isn't a Windows problem. This is a user
> stupidity problem. The *only* effective long-term solution to these sorts
> of problems is to bludgeon people about the head with the idea that they
> should NEVER, EVER, *EVER* run *ANYTHING* that they get via e-mail, *even
> if it's from someone that they know*, without explicit confirmation of
> what it is and what it does, and that all of their programs need to be
> configured the same way. And that as annoying as warning boxes might be,
> they're there for a *reason*, and if they can't stand them, the answer is
> to disable all macros always, not turn them on.
>
> --
> Russ Allbery ([EMAIL PROTECTED]) <URL:http://www.eyrie.org/~eagle/>
>
