funsec mailing list archives
Re: idea
From: der Mouse <mouse () rodents-montreal org>
Date: Sun, 4 Jan 2009 22:16:32 -0500 (EST)
To use the real-life example, an unpatched Windows [...] Even if I do not connect the machine to any network, the moment I open any document that the machine itself did not create, I expose it to all sorts of macros, scripts and embedded content which can hose or exploit my applications.
Quite. A good argument against providing extension languages with the capability of modifying...well, pretty much anything outside the file the code is embedded in, and arguasbly even that.
The same weaknesses apply to operating systems and applications generally.
Only if they insist on executing code from sources such as "documents" from elsewhere, giving it capabilities like writing files (or semi-equivalent capabilities such as modifying the windows registry). I, for example, do not "open" "documents"; I display and/or edit files, and the display and editor programs do not provide any kind of live-content support to the files in question. (I do occasionally run PostScript or PDF code, but when such programs come from untrusted sources I tell the PS/PDF engine to disable the primitives for writing files and the like.) This is not to say that programs are bug-free, only that outright bugs provide any way for such things to execute content. I fully expect that evolutionary pressures will end up killing off live content, or at least live content that provides support for making non-transient state changes such as writing files. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTML mouse () rodents-montreal org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: idea, (continued)
- Re: idea Rich Kulawiec (Jan 04)
- Re: idea nick hatch (Jan 04)
- Re: idea Ben (Jan 04)
- Re: idea der Mouse (Jan 04)
- Re: idea Remo Cornali (Jan 04)
- Re: idea rackow (Jan 04)