[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Postscript in Netscape
In article <[email protected]>, [email protected] (Dr. Frederick B. Cohen) writes:
> Jeff Weinstein - Electronic Munitions Specialist Wrote:
> ...
>> If a user configures a postscript viewer that has not had the
>> file operations disabled as a helper app to any web browser then
>> they are opening themselves up for a world of hurt. The same is
>> true if they just download the file and run their viewer on it
>> manually. The same is true if they configure /bin/sh as an
>> external viewer.
>>
>> Obviously everyone should heed perry's warnings and emasculate
>> their postscript interpreters before using them to view files
>> of unknown origin.
> WRONG!!! Netscape claims to be "secure" - hence it is Netscape's job to
> be secure - regardless of the user's use of their product. Otherwise,
> the ads should read:
> "Netscape can be used securely by sufficiently knowledgeable
> users who have emasculated their postscript interpreters before
> using them to view files of unknown origin, and who have removed
> all other known, unknown, and/or undisclosed security holes from
> their systems. Otherwise, Netscape is insecure and should not be
> trusted."
If the user sets up a postscript viewer as an external viewer for
postscript files, it's not Netscape's fault if the viewer does something
insecure.
--
Sure we spend a lot of money, but that doesn't mean | Tom Weinstein
we *do* anything. -- Washington DC motto | [email protected]