[NTLUG:Discuss] Executable Content Considered Harmful

Christopher Browne cbbrowne at hex.net
Fri May 5 09:38:39 CDT 2000 

On Fri, 05 May 2000 09:15:30 CDT, the world broke into rejoicing as
"Will Senn" <wsenn at postfuture.com>  said:
> What's the deal?  Is this amateur night?  Let's move on to linux
> discussions.  Linux is not affected by the "love bug".  Anyone that checks
> ntlug messages with exchange should be embarrased if they catch the virus.
> I have to admit to being an NT user at work, but I wouldn't cry about
> catching the virus in this particular forum.
> 
> Here's my 2 cents:
> 1.  Don't execute attachments that are not pgp/gpg signed by people you
> trust and are expected.
> 2.  Don't use an email reader that autoexecutes anything associated with
> incoming mail (I don't mean turn autoexecute off either)

The issue is obviously greatly "enhanced" when you use a "virus-enhanced
email" system.  From what I can tell, the _only_ executable attachments
that get _sent_ via email tend to be "nefarious tools of evil."

But there were similar problems before the days of Windows.

1.  Does anyone remember the ability of Lotus 123 to run an "autoexecute
    macro?"

    This was considered hazardous close to ten years ago.

2.  Emacs editors (GNU Emacs and XEmacs) both provide the ability to
    attach "variables," executable by the editor, to documents.

    This is quite useful if you want to, say, use a customized
    electric-C mode for editing programs.  When you load a source code
    file into the editor, it provides instructions to the editor as to
    what indentation policy to apply and such.

    This is fairly well-documented as providing a "hole."  If you bring
    in files from just anywhere, you should _not_ set up Emacs to
    automatically evaluate such variables, as there is the risk of
    someone dropping in nefarious code.

    It hasn't generally been _done_, mind you, but it sure is
    _possible_...

3.  Web pages do exactly the same thing; ECMAScript code that "sucks"
    your web browser in to front pages of porn web servers is another
    example of this.  When you can't close browser windows without another
    one popping open to head somewhere lurid, that's another example of
    this situation.

4.  Melissa.  She's not just Bill's wife anymore...

It underlines the point that there is considerable Bad to "push"
technologies.  The intent of things like HTML, SGML, and XML is to
provide formats for data that are _NOT_ "executable," but rather are
merely _descriptive_.  The problems outlined above don't happen if
all that is tranferred is the _description_ of information.

[Anyone that wants to counterpoint with "I want to transmit closures"
can chime in; I'm not _totally_ disagreeable to the notion, just 
_mostly_ disagreeable...]
--
"...It is meaningless to anyone unwilling to commit to forever using a
single  vendor's operating  system.  Historically  that seems  to have
been a bad choice.  Are you convinced that times have changed?"
-- Les Mikesell <les at mcs.com>
cbbrowne at ntlug.org - <http://www.ntlug.org/~cbbrowne/lsf.html>

More information about the Discuss mailing list