[1334] in bugtraq
Re: MIME question...
daemon@ATHENA.MIT.EDU (Jonathon Tidswell)
Tue Mar 28 08:59:37 1995
From: Jonathon Tidswell <t-jont@microsoft.com>
To: bugtraq@fc.net, pwh@bradley.bradley.edu
Date: Tue, 28 Mar 95 18:30:55 TZ
----------
| From: Pete Hartman <pwh@bradley.bradley.edu>
| To: <bugtraq@fc.net>
| Subject: Re: MIME question...
| Date: Monday, 27 March 1995 12:12
| >has anyone on this list heard of an "auto-execute MIME extension"? is
| >this an issue? the question arose when i doubted the likelihood of
| >a "virus" being launched via reading an e-mail message.
Its real.
Its not Microsoft.
Its a research project at a couple of places.
Preliminary reading is a paper in an '80s CSCW conference.
The title is something about "Computational Email", and its by
Nathanial Borenstein
then at Bell Labs.
This used lisp + curses, later work is based on Tcl and Tk, and is
known as safe-tcl.
| >your thoughts?
The security approach is ad-hoc but seems thorough.
Assuming the security stuff is thorough :-) then virii are not a
concern, although
denial-of-service attacks are.
| The closest to this I've heard of is also a potential problem with
| some Web Browsers.
|
| If you can invoke a sufficiently sophisticated postscript interpreter
| with an email message or a web graphic, you can embed code to do
| unintended things, since PostScript is a full language.
Indeed which is why you should set the flags for Ghostscript to not process
file and other security threatening commands.
I presume other postscript viewers have at least the functionality of
ghostscript :-)
The same is true of all documents which include scripting components.
Which I guess will be the next generation of word processors from major
vendors.
- Jon Tidswell
Disclaimer:
I am a postgraduate student on a scholarship not an employee of Microsoft ...
I think my thoughts are my own and I believe my writings are too.
