[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Postscript in Netscape



In article <[email protected]>, [email protected] (Dr. Frederick B. Cohen) writes:

> Jeff Weinstein - Electronic Munitions Specialist Wrote:
> ...
>> If a user configures a postscript viewer that has not had the
>> file operations disabled as a helper app to any web browser then
>> they are opening themselves up for a world of hurt.  The same is
>> true if they just download the file and run their viewer on it
>> manually.  The same is true if they configure /bin/sh as an
>> external viewer.
>> 
>> Obviously everyone should heed perry's warnings and emasculate
>> their postscript interpreters before using them to view files
>> of unknown origin.

> WRONG!!! Netscape claims to be "secure" - hence it is Netscape's job to
> be secure - regardless of the user's use of their product.  Otherwise,
> the ads should read:

> 	"Netscape can be used securely by sufficiently knowledgeable
> 	users who have emasculated their postscript interpreters before
> 	using them to view files of unknown origin, and who have removed
> 	all other known, unknown, and/or undisclosed security holes from
> 	their systems.  Otherwise, Netscape is insecure and should not be
> 	trusted."

If the user sets up a postscript viewer as an external viewer for
postscript files, it's not Netscape's fault if the viewer does something
insecure.

-- 
Sure we spend a lot of money, but that doesn't mean    |  Tom Weinstein
we *do* anything.  --  Washington DC motto             |  [email protected]