OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Changed subject (was Re: reg. virus named ...)
From: David Terrell (dbtmeat.net)
Date: Fri May 05 2000 - 18:36:21 CDT

On Fri, May 05, 2000 at 06:19:44PM -0500, Ari Gordon-Schlosberg wrote:
> That's less of an issue, as vbs in the context of an email message body is
> executed in the Internet security context, which does not let it do what
> the virus does.
>
> However, since it was sent as an attachment and clicked on, it now runs in
> a local context with full permissions to do anything.
>
> To Microsoft's credit, there is a bit of sandbox that all this executable
> content it run in. However, attachements are treated as if they were saved
> to disk and then opened, which is to say with the same permissions as Word
> or Explorer.

That's not true. VB Script embedded in an HTML document is treated
as internet context. a .vbs file (or .vbe, .js, .jse, or even .exe)
that is a part or whole of a MIME message is simply executed locally,
and there is no sandbox for local execution. Period. Only
HTML-embedded scripting has any sandbox whatsoever. 

-- 
David Terrell             | "War is peace, 
Prime Minister, Nebcorp   | freedom is slavery, 
dbtmeat.net              | ignorance is strength 
http://wwn.nebcorp.com/   | Dishes are clean." - Chris Fester