Cart
[Home] [By Thread] [By Date] [Recent Entries]
Bullard, Claude L (Len) wrote: > ... > > 1. Why have the scanner vendors taken until now to figure this out? > 2. Why single out Microsoft? I'm curious what other XML vocabularies you know of that transport Turing-complete macros with complete access to every COM object on the system? The only one I know if is XHTML, and people expect the browser to enforce its sandbox, not a virus checker. > Tit: Scanning the whole file slows us down. > Tat: Viruses take you all the way out. Non sequiter. Let me try an analogous argument: "removing the steering wheel from the car slows us down." "Theft takes the whole car out." Well, why not just put a lock on? Efficiency and security are not necessarily at odds. > Tit: Microsoft should behave as they ought. > Tat: So should scanner software. Just because > the header says the macros are "here" doesn't > mean another one isn't "there". One might > want to validate too. A macro that cannot be executed by the software is harmless. It is just data. > Tit: It's Microsoft's fault. > Tat: Microsoft didn't invent XML. > This is a problem for any XML that > can contain a macro and any system > that doesn't sandbox it. You act as if there is a long list of such systems. > Gee. What will Open Office do? It doesn't practically matter as a performance issue. The volume of data flowing across the firewall in open office format will be a tiny fraction of the Office data. I would hope that OpenOffice has a macro sandbox (or separates macros from documents), but I don't know for sure. Paul Prescod
|
