[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Another Netscape Bug (and possible security hole)



On Fri, 22 Sep 1995 [email protected] wrote:

> On Fri, 22 Sep 1995, Adam Shostack wrote:
> 
> > Perry E. Metzger wrote:
> > 
> > | I don't believe the Sun Java stuff would suffer from it, although I
> > | fear Java a great deal.
> > 
> > 	I keep hearing this thought.  Isn't Win95 with its
> > 'executables in email' much more dangerous than Java, which at least
> > tries to address security?
> 
> Is that the new MS-Word you're thinking of?  I hear that it lets you
> imbed macros containing executable code in documents.  That's got to
> be one of the most dangerous ideas ever cooked up.

Agreed; but it's present, not just in Word (every version since 2.0, as 
far as I can tell, in fact, since they all let you make system calls...), 
but in Microsoft Network, Microsoft Access, Microsoft Excel... I believe 
PowerPoint and Publisher are exempt from this bug, if only because the 
current versions have no macro languages...

One of the penalties that modern software (at least for Windows) imposes 
is the ability to create massive viri, simply by allowing system calls to 
be executed from macros (if this was not the case, OLE technology 
wouldn't work, and interoperation between Windows programs can't occur, 
thereby crippling the system through bad design regardless of which 
alternative was chosen)

Jon
------------------------------------------------------------------------------
Jon Lasser                <[email protected]>            (410)494-3072 
          Visit my home page at http://www.goucher.edu/~jlasser/
  You have a friend at the NSA: Big Brother is watching. Finger for PGP key.