[Tutor] eval and exec

Alan Gauld alan.gauld at freenet.co.uk
Tue Dec 7 00:16:31 CET 2004


> > - MS allows Outlook to run scripts when mail is open, if
> > those scripts are harmful we have a virus!

That is (was, they've improved it a lot) the number one cause
of script kiddie virii. Simply viewing a mail message in the 
preview pane was enough to trigger a script. They have 
improved security greatly in the recent patches though.

But HTML mail has similar issues. If someone handcrafts an HTML
message with some Javascript code then you are relying on your 
browsers sandbox technology to protect you. And if its Windows 
and WSH is enabled the script can read/write the registry...

The ability to script documrnts is powerful, but potentially 
dangerous, just like eval/exec (which are how such 
capabilities are typically implemented!)

Alan G.


More information about the Tutor mailing list