OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help



   Re: [xml-dev] Oh those XML Viruses

[ Lists Home | Date Index | Thread Index ]

Bullard, Claude L (Len) wrote:
> ...
> 1. Why have the scanner vendors taken until now to figure this out?
> 2. Why single out Microsoft?  

I'm curious what other XML vocabularies you know of that transport 
Turing-complete macros with complete access to every COM object on the 

The only one I know if is XHTML, and people expect the browser to 
enforce its sandbox, not a virus checker.

> Tit:  Scanning the whole file slows us down.  
> Tat:  Viruses take you all the way out.  

Non sequiter. Let me try an analogous argument: "removing the steering 
wheel from the car slows us down." "Theft takes the whole car out." 
Well, why not just put a lock on? Efficiency and security are not 
necessarily at odds.

> Tit:  Microsoft should behave as they ought.
> Tat:  So should scanner software.  Just because 
>       the header says the macros are "here" doesn't 
>       mean another one isn't "there".  One might 
>       want to validate too.

A macro that cannot be executed by the software is harmless. It is just 

> Tit:  It's Microsoft's fault.
> Tat:  Microsoft didn't invent XML. 
>       This is a problem for any XML that 
>       can contain a macro and any system 
>       that doesn't sandbox it.

You act as if there is a long list of such systems.

> Gee.  What will Open Office do?

It doesn't practically matter as a performance issue. The volume of data 
flowing across the firewall in open office format will be a tiny 
fraction of the Office data.

I would hope that OpenOffice has a macro sandbox (or separates macros 
from documents), but I don't know for sure.

  Paul Prescod


News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS