[Tutor] eval and exec
Alan Gauld
alan.gauld at freenet.co.uk
Tue Dec 7 00:16:31 CET 2004
> > - MS allows Outlook to run scripts when mail is open, if
> > those scripts are harmful we have a virus!
That is (was, they've improved it a lot) the number one cause
of script kiddie virii. Simply viewing a mail message in the
preview pane was enough to trigger a script. They have
improved security greatly in the recent patches though.
But HTML mail has similar issues. If someone handcrafts an HTML
message with some Javascript code then you are relying on your
browsers sandbox technology to protect you. And if its Windows
and WSH is enabled the script can read/write the registry...
The ability to script documrnts is powerful, but potentially
dangerous, just like eval/exec (which are how such
capabilities are typically implemented!)
Alan G.
More information about the Tutor
mailing list