From: herbs@interlog.com (Herb Sutter)
Date: Fri, 22 Sep 95 18:32:03 PDT
To: adam@lighthouse.homeport.org>
Subject: WordBasic and other macro languages
Message-ID: <199509230130.VAA04956@gold.interlog.com>
MIME-Version: 1.0
Content-Type: text/plain


At 15:47 1995.09.22 -0400, dmandl@panix.com wrote:
>On Fri, 22 Sep 1995, Adam Shostack wrote:
>> 	I keep hearing this thought.  Isn't Win95 with its
>> 'executables in email' much more dangerous than Java, which at least
>> tries to address security?
>
>Is that the new MS-Word you're thinking of?  I hear that it lets you
>imbed macros containing executable code in documents.  That's got to
>be one of the most dangerous ideas ever cooked up.

It's no worse than the other hundreds of products that have macro languages
that can write files (even the ones that can't execute other programs are
dangerous if they can write a real executable to a file and, say, add a
corresponding RUN= line in a WIN.INI or the equivalent to get it executed
later).  Word's is just more visible because the macro itself can behave
like a virus, because of Word's autoexec-macro feature that can make the
macro run automatically unless they user disables those options on his copy.

Many versions of PostScript have this kind of hole, I understand; some
disable the file-manipulation commands to be more secure.  I remember
hearing recently that Ghostscript, popular on PCs, is one that does have the
file-manips, but all of this is hearsay so I can't say for sure.

Herb

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Herb Sutter                 2228 Urwin, Suite 102       voice (416) 618-0184
Connected Object Solutions  Oakville ON Canada L6L 2T2    fax (905) 847-6019