---------- | From: Pete Hartman <pwh@bradley.bradley.edu> | To: <bugtraq@fc.net> | Subject: Re: MIME question... | Date: Monday, 27 March 1995 12:12 | >has anyone on this list heard of an "auto-execute MIME extension"? is | >this an issue? the question arose when i doubted the likelihood of | >a "virus" being launched via reading an e-mail message. Its real. Its not Microsoft. Its a research project at a couple of places. Preliminary reading is a paper in an '80s CSCW conference. The title is something about "Computational Email", and its by Nathanial Borenstein then at Bell Labs. This used lisp + curses, later work is based on Tcl and Tk, and is known as safe-tcl. | >your thoughts? The security approach is ad-hoc but seems thorough. Assuming the security stuff is thorough :-) then virii are not a concern, although denial-of-service attacks are. | The closest to this I've heard of is also a potential problem with | some Web Browsers. | | If you can invoke a sufficiently sophisticated postscript interpreter | with an email message or a web graphic, you can embed code to do | unintended things, since PostScript is a full language. Indeed which is why you should set the flags for Ghostscript to not process file and other security threatening commands. I presume other postscript viewers have at least the functionality of ghostscript :-) The same is true of all documents which include scripting components. Which I guess will be the next generation of word processors from major vendors. - Jon Tidswell Disclaimer: I am a postgraduate student on a scholarship not an employee of Microsoft ... I think my thoughts are my own and I believe my writings are too.