Re: MIME question...

[t-jont () microsoft com (Jonathon Tidswell)]

----------
| From: Pete Hartman  <pwh () bradley bradley edu>
| To:  <bugtraq () fc net>
| Subject: Re: MIME question...
| Date: Monday, 27 March 1995 12:12


| >has anyone on this list heard of an "auto-execute MIME extension"?  is
| >this an issue?  the question arose when i doubted the likelihood of
| >a "virus" being launched via reading an e-mail message.
Its real.
Its not Microsoft.
Its a research project at a couple of places.

Preliminary reading is a paper in an '80s CSCW conference.
The title is something about "Computational Email", and its by 
Nathanial Borenstein
then at Bell Labs.

This used lisp + curses, later work is based on Tcl and Tk, and is
known as safe-tcl.

| >your thoughts?
The security approach is ad-hoc but seems thorough.

Assuming the security stuff is thorough :-) then virii are not a 
concern, although
denial-of-service attacks are.

| The closest to this I've heard of is also a potential problem with
| some Web Browsers.
|
| If you can invoke a sufficiently sophisticated postscript interpreter
| with an email message or a web graphic, you can embed code to do
| unintended things, since PostScript is a full language.
Indeed which is why you should set the flags for Ghostscript to not process
file and other security threatening commands.
I presume other postscript viewers have at least the functionality of 
ghostscript:-)

The same is true of all documents which include scripting components.
Which I guess will be the next generation of word processors from major 
vendors.

- Jon Tidswell

Disclaimer:
I am a postgraduate student on a scholarship not an employee of Microsoft ...
I think my thoughts are my own and I believe my writings are too.