Vulnerability Development mailing list archives

Re: WSCRIPT.EXE , CSCRIPT.EXE replacement for *.vbs

From: 11a () GMX NET (Bluefish)
Date: Sun, 14 May 2000 04:09:35 +0200

As for point 3, I do tend towards Microsoft on this one. We(Customers)
wanted a better batch language. Basic is a nice simple language. Well, lets
leverage VB and VBA and create VBS. In doing so they created a very powerful
scripting language that can do quite a lot.


There is obviously nothing wrong with powerfull scripting languages. It
would be almost like saying that any executable is dangerous because it
can contain whatever machinecode the inventor thought of!

Scripting capabilities like perl has been widely available for years
without problems.

IMHO the problem with the microsoft platforms is that it is quite hard to
determin if a file is executable, a mixed data/executable. This is mainly
because it relies upon extensions for such things and there are numorous
extensions which are executable which the avarage user isn't aware of.
Additionally wordprocessors etc which the users often assume to be safe
by default executes script without even warning the user the first time.
Then yet again, according to other sources Outlook has insane features
like hiding extentions and the possibilities to be configures to
"autopreview".

There are obvoiusly room for numerous security upgrades which would not
limit any functionallity?

only MS OS that has the hope of doing that. Please, no comments on how UNIX
does not have these limitations, that is given, but UNIX does not have the
market share to cause this problem, 9x does.


Unix is definatly big enough to cause problems. The day all unix-boxes in
the world stops simultationsly, you'll realize that beneath the
serfice, unix runs the entire world ;)

 Well more seriously, there are reasons why unix does not suffer these
problems. Compared to the avarage windows user, the avarage unix users has
a higher education and computing experience (or you might call me biased).
Secondly, most *nix clients for Unix is not designed to be one mouseclick
to execute possibly hostile code.

Not to sound too much pro-unix, the different architectures have different
problems. Unix certainly has it share of security problems. But what
microsoft is outstanding in is a human interface which very easily fools
the human.

..:::::::::::::::::::::::::::::::::::::::::::::::::..
     http://www.11a.nu || http://bluefish.11a.nu
    eleventh alliance development & security team

Current thread:

Bugtraq Stats for the last 3 years available now., (continued)
- - - Bugtraq Stats for the last 3 years available now. Alfred Huger (May 15)
    - xsoldier mandrake exploit. egid=games with the right shellcode Larry C$ (May 15)
    - Re: QPOP2.5* exploit ?? rpc (May 14)
    - Fwd: [Newssubmission: Security vulnerability in the ICS HTTPServer component] TLsecurity.net (May 14)
    - Re: regarding phrack49's stack smashing tutorial Pavel Kankovsky (May 14)
    - Re: regarding phrack49's stack smashing tutorial Darshan Patil (May 14)
  - Re: WSCRIPT.EXE , CSCRIPT.EXE replacement for *.vbs Richard Rager (May 13)
  - is: tcp/ip vuln, not?... was: WSCRIPT.EXE , CSCRIPT.EXE replacement for *.vbs Bluefish (May 13)
    - Re: is: tcp/ip vuln, not?... was: WSCRIPT.EXE ,CSCRIPT.EXE replacement for *.vbs Crispin Cowan (May 15)
    - Re: is: tcp/ip vuln, not?... was: WSCRIPT.EXE ,CSCRIPT.EXE replacement for *.vbs Jason Legate (May 17)
  - Re: WSCRIPT.EXE , CSCRIPT.EXE replacement for *.vbs Bluefish (May 13)
- Re: WSCRIPT.EXE , CSCRIPT.EXE replacement for *.vbs Maxime Rousseau (May 12)
  - Re: WSCRIPT.EXE , CSCRIPT.EXE replacement for *.vbs Richard Rager (May 13)
- Re: WSCRIPT.EXE , CSCRIPT.EXE replacement for *.vbs Daniel P. Zepeda (May 14)
  - Re: WSCRIPT.EXE , CSCRIPT.EXE replacement for *.vbs Bluefish (May 16)
- Re: WSCRIPT.EXE , CSCRIPT.EXE replacement for *.vbs Istvan Takacs (May 15)
  - Re: WSCRIPT.EXE , CSCRIPT.EXE replacement for *.vbs Bluefish (May 16)