Thread: Check your Windows 10 block settings
View Single Post
  #64   Report Post  
Posted to alt.home.repair
Mayayana Mayayana is offline
external usenet poster
  
Posts: 1,033
Default Check your Windows 10 block settings
| The exploits I mentioned previously don't require any
| "remote software" to be executed from the 'net. *But*,
| as each of these non-ASCII-text files requires something
| to *interpret* their contents (as a photograph, audio
| clip, video clip, etc.) then those non-ASCII-text files
| are, essentially, *programs*! They control the behavior
| of their respective "decoders" when you apply those decoders
| to those files.
|

That's not true. The exploits you listed all
involve a weakness in executable code -- either
compiled binaries or script. Most involve javascript.
Many of those *also* require a binary like Flash.
The rare exception would be something like the
gdiplus.dll bug that could be exploited with JPGs.
(Gdiplus was fairly new at the time.) Data files that
are not interpreted as executable -- whether text
or not -- are almost never a risk because they're
not doing anything. (Again, I'd be interested to
hear if there are any examples besides the one-time
JPG issue, which was many years ago.)

I've never heard of any vulnerability in HTML.
It defines graphical layout. It's not interpreted
as executable code. It's sometimes possible to
crash a browser with faulty HTML, but that's just
a case of "choking" the software. There's no
executable code involved.

| If I email you a receipt for a purchase
| as a PDF, then the act of opening it means your "PDF decoder"
| has now been tricked into "interpreting" the information
| embedded in that file (just like a computer interprets a
| computer program).
|

You're misusing the word interpet. A computer
doesn't interpret a program. The program itself
accesses the CPU, RAM and disk. Script is text
that's interpreted as executable code, but that
makes it just like a compiled program, in that
the interpreter is a program acting under the
direction of the script. A PDF is not interpreted
as executable code. What the PDF reader gets from
the PDF data is information about text, fonts,
colors and layout. The problems with PDF are due
allowing javascript in PDFs to run.

| The browser *is* executable code! The OS is executable code.
| The JPG decoder is executable code. The PDF reader is executable
| code. Anything that *does* anything does it by executing code!
|
I don't know how many ways I can explain it.
As I said, I'd be interested to know if you find
any vulnerabilities that do not directly involve
executable code. They're few and far between.
In other words, a browser is, of course, executable
code, but you can't hijack it by telling it to draw
a table with a blue background. A browser is
hijacked by getting it to run executable code --
via the javascript "engine" or a faulty plug-in.


| Adobe crap at all. Don't enable script. Don't install Java.
| Don't run videos and music in browser plugins like Flash.
| Don't enable script in your PDF viewer.
| (For me this is easy. I don't like things moving on webpages
| while I'm trying to read. If I want to see a video I'll
| download it, so I can save a copy, and play it in VLC. If
|
| http://www.zdnet.com/article/vlc-vulnerabilities-exposed/
| "Vulnerabilities have been discovered in some versions of the
| popular VLC media player which may allow a cyberattacker to
| corrupt memory and potentially execute arbitrary code."
|
http://www.saintcorporation.com/cgi-bin/demo_tut.pl?tutorial_name=VLC_vulnerabilities.html
|

That's interesting. It's good to know about
such things. But I'm not going to lose
any sleep. I'm not using a VLC browser plugin,
and there's very little motive for someone to
put a video on youtube that will attack my
system offline. Especially given that I don't
download wacky cat videos from random posters.

| Note that it doesn't matter if you run VLC from your browser or
| download the file and run VLC separately.
| "Vulnerabilities in VLC allow for remote code execution or
| denial of service. VLC also has a remote code execution
| vulnerability in the web interface."
|

Remote means remote. If you download a file
and play it in VLC that's not remote execution.
Remote would mean playing it via webpage or
some other way of accessing it from a remote
location.

| It's like the admonition from my youth regarding unwanted
| pregnancies: the only SURE contraceptive is ABSTINENCE!
| I.e., the only sure way to avoid these vulnerabilities is
| to NOT import anything that you didn't create yourself.

I suppose that in the most extreme interpretation
you're right. I've decided that having sex carefully,
with my post-menopausal ladyfriend, is a "risk" I'm
willing to take. Good luck with the inflatables.


Reply With QuoteReply With Quote