Re: Oh those XML Viruses
Bullard, Claude L (Len) wrote: > ... > > 1. Why have the scanner vendors taken until now to figure this out? > 2. Why single out Microsoft? I'm curious what other XML vocabularies you know of that transport Turing-complete macros with complete access to every COM object on the system? The only one I know if is XHTML, and people expect the browser to enforce its sandbox, not a virus checker. > Tit: Scanning the whole file slows us down. > Tat: Viruses take you all the way out. Non sequiter. Let me try an analogous argument: "removing the steering wheel from the car slows us down." "Theft takes the whole car out." Well, why not just put a lock on? Efficiency and security are not necessarily at odds. > Tit: Microsoft should behave as they ought. > Tat: So should scanner software. Just because > the header says the macros are "here" doesn't > mean another one isn't "there". One might > want to validate too. A macro that cannot be executed by the software is harmless. It is just data. > Tit: It's Microsoft's fault. > Tat: Microsoft didn't invent XML. > This is a problem for any XML that > can contain a macro and any system > that doesn't sandbox it. You act as if there is a long list of such systems. > Gee. What will Open Office do? It doesn't practically matter as a performance issue. The volume of data flowing across the firewall in open office format will be a tiny fraction of the Office data. I would hope that OpenOffice has a macro sandbox (or separates macros from documents), but I don't know for sure. Paul Prescod
PURCHASE STYLUS STUDIO ONLINE TODAY!
Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced!
Download The World's Best XML IDE!
Accelerate XML development with our award-winning XML IDE - Download a free trial today!
Subscribe in XML format