> Nope, you're mistaken. HTML IS A SCRIPT!
No, it is not. It is a markup language. HTML = HyperText Markup Language.
There are other types of markup languages - SGML, etc. It is NOT a script,
nor an executable binary. You can EMBED scripts in it, yes. That's a
different thing.
> Olly said it for me.
> HTML is a binary executable in the same sense as a graphic file (eg,
> .jpg, .gif. etc.), and can deliver malicious code, whether you 'click
> on it or not'.
No. An ACTUAL graphic file - JPG, GIF, etc - is NOT executable. You're
referring to a *specific* Windows OS problem, that allows file extensions to
be hidden, thereby presenting SCRIPTS as if they are graphics files. That is
an OS shortcoming, easily rectified by changing 1 setting. Then you'd see
that it is in reality NOT a graphic file, and (presuming that you are
sensible), you would not try and execute it.
You're referring to a bad guy exploiting a stupid OS default setting, not a
problem with HTML, since the supposed graphic almost always comes as an
ATTACHMENT to an email, whether HTML or plain text.
> When a Windoze system, which can only be 'pretend' secured at best,
Again, no. It takes some know how, but it most certainly can be done. It's
not *AS* secure as Unix, but it can be more than secure enough for home use.
As with any OS, it depends on large part on user knowledge and practices.
(practices includes getting all the proper OS and application patches)
Just because many (perhaps most) Windows users DON'T have their systems set
up properly, does NOT mean that they can NOT be set up properly.
> executes Hyper Text Markup Language, embedded worms can be delivered to
any M$ OS.
No. Embedded "worms", as you put it, are SCRIPTS (Javascript, VBscript, PHP,
etc). Scripts can be set to not automatically execute upon viewing. This was
the whole point of my post. This, in combination with a decent, frequently
updated AV program, will do wonders for minimizing that particular type of
threat.
> This isn't a threat for U*ix systems, which is why I said "for your own
safety" in cautioning M$ and
> particulary M$ email users.
You can read HTML mail on Windows (please try and refrain from using
insulting terms about other OSes) using mail readers other than O/OE without
ill effects. So it is NOT HTML that is dangerous, as you claim, but the
configuration of the software/OS that you are using.
If you wish to state that HTML *can* be dangerous *IF* you leave your
*OUTLOOK/OUTLOOK EXPRESS* at it's default, non-secure settings, then you
would be absolutely correct.
The same can be said of RedHat's default configuration - they load many
services that are potential security holes that are far worse than any HTML
holes. But if you know what you are doing, and change your configuration,
these problems either disappear or become vastly minimized. Ditto for
Windows and HTML mail.
> > Please - don't make incorrect blanket statements.
>
> Do some research, then take your own advice.
As I stated in my email, I have. And the method I outlined above works, and
is (part of) the recommended advice for securing O/OE.
I suggest you do the same, since - judging by the examples you've used in
this email - you have some misconceptions about a few things.
> ineffective due to user ignorance. When you read HTML in a Windoze
> system, you have opened your system to it and are allowing it to
> execute code. This is like using a Linux system, as root, with no
NO. Did you not read my post?
*SCRIPTS* embedded in HTML can cause problems, *NOT* the HTML code itself.
And SCRIPTS can be set to NOT execute.
Please become aware of the difference between scripts in HTML and actual
HTML commands itself. Just because most viruses/trojan horses/worms are
written in C does not mean C itself is a virus-riddled language.
