On Tue, 2003-08-05 at 23:12, der.hans wrote:
> Am 05. Aug, 2003 schwÃ€tzte Craig White so:

> That might be true, but executing images and plain text are foolish.
> Whatever group did that obviously never took security or stability into
> account. That wasn't adding functionality, that was only adding security
> holes.
> 
> Open the file and examine it to find out if it is an image, don't execute it
> and see what happens. It's a data file, not an executable, so why do m$
> programs execute them? I haven't yet seen anything saying they're fixing
> this error. They're just suggesting using filters ( some of which are now in
> their code ) to avoid ( some of ) the exploits we know about.
> 
---
Some of these things had roots before the Microsoft mail clients...html
mail with embedded javascript for example and then there was RLE pics

As you know, when you have a sizable workgroup, sending users an
executable via email is a bad idea. Some users won't execute it, some
users are incapable of making the distinction of which executable
attachments are ok and will get the idea that all executables are OK to
double click and so on.

Windows can pretty much distribute updates via netlogon scripts so the
email thing was an interesting idea that went amuck. Starting with IE/OE
6, the default is to prevent scripted attachments from executing (in
fact, they are by default not even shown to the user) which eliminates
the problem on new installs but of course, there are millions of
machines out there that aren't thus configured.

At this point, the virii benefits of Linux are pretty much the same as
for Macintosh - it's hard to gain recognition for the evil deeds when
your target is a small percentage of the computing public. I would agree
that I have had enough of removing the various virii from Windows
machines and insist that all my Windows network clients use Symantec AV
for desktops & servers which I can maintain, update all clients and lock
them out of shutting it off on their desktops - thereby alleviating all
user responsibility. It's about $50 per user (and $25 per year
thereafter). It's just an addition to the cost per computer per year and
I'm afraid that in the not too distant future, something similar will be
required for Linux.

Craig