From: Jamie Zawinski <jwz@netscape.com>
To: cypherpunks@toad.com
Message Hash: 1c0fca2fb99bb169d9db346c9156b7e4a0d2c0132fa24f26f025e614ff51a99d
Message ID: <308CD9B4.23F20F8F@netscape.com>
Reply To: <199510240734.AAA23451@jobe.shell.portal.com>
UTC Datetime: 1995-10-24 12:19:44 UTC
Raw Date: Tue, 24 Oct 95 05:19:44 PDT
From: Jamie Zawinski <jwz@netscape.com>
Date: Tue, 24 Oct 95 05:19:44 PDT
To: cypherpunks@toad.com
Subject: Re: Netscape Logic Bomb detailed by IETF
In-Reply-To: <199510240734.AAA23451@jobe.shell.portal.com>
Message-ID: <308CD9B4.23F20F8F@netscape.com>
MIME-Version: 1.0
Content-Type: text/plain
anonymous-remailer@shell.portal.com wrote:
>
> >Those of us who care run our postscript interpreters with all the
> >dangerous commands stripped out,
>
> Perry, I'll call you on that one, cause you simply can't do it.
>
> Postscript isn't like any other language around. Operator names have no
> special significance to the interpreter. You can't just "strip out"
> dangerous commands. They aren't "reserved" in the sense that operator
> names are in other languages, like COBOL or BASIC.
You're talking about stripping them out *with PostScript code*, which
is obviously a dangerous proposition (but is still possible if you do
it right, and if systemdict is not read-only as it often is.)
If you strip them out by taking the source to the interpreter and
stripping them out there, then the PostScript code can be as malicious
as it likes; if the interpreter has no access to disk file primitives,
it can't read or write files, period.
If you don't have source to your interpreter, or it your interpreter
is deeply intertwingled with your OS or window system, obviously this
will be harder to do. So in that case, you can run a different,
smaller interpreter that you can isolate. It's not like they aren't
widely available.
Of course, if the hypothetical cracker is going to take advantage of
buffer-overflow bugs in the interpreter to do what they want, then it
doesn't *matter* that it's a PostScript interpreter; at that point,
it's just another buggy program.
> In Postscript, operator names are simply keys into a LIFO dictionary.
> This makes Postscript different from other languages because you could
> redefine these names if you wanted to. Stripping something from a
> dictionary doesn't matter because, the search sequence is top down.
>
> If I rewrite an operator name, and put it at the top of the stack, there's
> not anything you can do.
>
> Gee's Perry, even if you haven't stripped something out, I can rewrite it.
> And the interpreter will find the rewritten version before the version
> that's in your machine.
I think it would be a really good trick to implement disk I/O in
PostScript that will work in an interpreter which didn't provide any
disk I/O routines in systemdict.
> And this is why the Request-For-Comments from the IETF warns:
>
> "Postscript is an extensible language, and many, if not most,
> implementations of it provide their own extensions. This document
> does not deal with such extensions explicitly since they constitute
> an unknown factor ..."
>
> Is that clearer?? If you thought that you had "safety" cause you stripped
> your interpreter, then you're in trouble, cause that doesn't work.
Of course it works -- if you know what extensions the interpreter you're
running provides and if you've likewise turned off the dangerous ones.
> > but given that Netscape doesn't supply postscript interpreters, its not
> > really their fault or problem.
>
> Well, that line might work on those who don't know any better, but that's
> also why the Internet Engineering Task Force (IETF) tries to protect the
> public by suggesting that implementors like Netscape not pass the ball:
>
> "The execution of general-purpose PostScript interpreters entails
> serious security risks, and implementors are discouraged from simply
> sending PostScript email bodies to "off-the-shelf" interpreters."
>
> Netscape ignores this suggestion.
How?
As has been pointed out to you, repeatedly, we do not ship a PostScript
interpreter, and Netscape does not come configured to *look* for a
PostScript interpreter of any kind. When you run it off-the-shelf, and
hand it a PostScript file, it says "I've never heard of this. What do
you want to do with it?"
Just like it would with a perl script. Or an awk script. Or an sh
script. Or a Microsoft Word document. Or any other program capable
of file I/O or network connections.
The user picks the interpreter they want to hand the document to.
If anyone ignores this advice you keep repeating, it's the user.
Not us.
> I guess that Netscape simply knows more (or cares less??) than the entire
> collected wisdom of the International contributors who make up the IETF.
Stop, I'm getting chills.
> Gee, there's lotsa wisdom over there at Netscape.
I'm sure we all love you too.
--
Jamie Zawinski jwz@netscape.com http://www.netscape.com/people/jwz/
``A signature isn't a return address, it is the ASCII equivalent of a
black velvet clown painting; it's a rectangle of carets surrounding
a quote from a literary giant of weeniedom like Heinlein or Dr. Who.''
-- Chris Maeda
Return to October 1995
Return to ““Perry E. Metzger” <perry@piermont.com>”