On Monday, 30 Jan 1995, Dr. Frederick B. Cohen wrote:
> The real problem you will encounter is likely that W3 is not
> secure. For example, .ps files which alter internal files will pass
> throuhg the firewall to the W3 browser and cause internal damage.
>
The problem you describe isn't limited to W3 browsers. In fact, *any*
system which allows the blind invocation of programs is vulnerable. One
could just as well send the PostScript "nastygram" you describe through
email. An email user agent that "conveniently" started a PostScript
viewer would basically defer any security policy enforcement to the
viewer just as effectively as a W3 browser.
Now, most sites don't ban email, so vigilance against malicious or
accidental damage can't just rely on a perimeter firewall. The "hard
crunchy shell surrounding a soft chewy center" does not provide automatic
protection against all attacks --- just ask your average armadillo how
safe it is once a predator has discovered how to turn it over. ;-)
Frank
--
"Outside of a dog, a book is a man's best friend;
inside of a dog, it's too dark to read." -- Groucho Marx
References:
|
|
