[
Lists Home |
Date Index |
Thread Index
]
Bullard, Claude L (Len) wrote:
> ...
>
> 1. Why have the scanner vendors taken until now to figure this out?
> 2. Why single out Microsoft?
I'm curious what other XML vocabularies you know of that transport
Turing-complete macros with complete access to every COM object on the
system?
The only one I know if is XHTML, and people expect the browser to
enforce its sandbox, not a virus checker.
> Tit: Scanning the whole file slows us down.
> Tat: Viruses take you all the way out.
Non sequiter. Let me try an analogous argument: "removing the steering
wheel from the car slows us down." "Theft takes the whole car out."
Well, why not just put a lock on? Efficiency and security are not
necessarily at odds.
> Tit: Microsoft should behave as they ought.
> Tat: So should scanner software. Just because
> the header says the macros are "here" doesn't
> mean another one isn't "there". One might
> want to validate too.
A macro that cannot be executed by the software is harmless. It is just
data.
> Tit: It's Microsoft's fault.
> Tat: Microsoft didn't invent XML.
> This is a problem for any XML that
> can contain a macro and any system
> that doesn't sandbox it.
You act as if there is a long list of such systems.
> Gee. What will Open Office do?
It doesn't practically matter as a performance issue. The volume of data
flowing across the firewall in open office format will be a tiny
fraction of the Office data.
I would hope that OpenOffice has a macro sandbox (or separates macros
from documents), but I don't know for sure.
Paul Prescod
|
