John Becket wrote:
> Tony Mechelynck wrote: > > Maybe you should set a config-time option (or create one) to > > avoid any interaction with the shell? > > > > Even better: If you don't want ever to become the victim of > > any exploit, turn your computer off at the wall switch and > > leave it off. > > > > :-b > > I haven't studied this example, but as I understand it, the suggestion is > that I > could send you a file with a message like "What's the deal with this weird > message > that Vim gives? Open file xxx and search for yyy then press K." > > Jan is saying (I think) that following those instructions could execute > malware. > > Sure, it will never happen to me or you, but if we were discussing Microsoft > Word, > most people would have no hesitation in declaring that such a vulnerability > (press a > key in a document to get owned) is just NOT acceptable. > > We aren't talking about mapping K to execute "system('dodgyfile')". K is > performing > its default function, but that function could exploit you if executed on > certain > text, with a certain file present. > > If my understanding is correct, I don't think it's reasonable to write this > off with > the "switch power off" joke (if I've got this wrong, please correct me). It's more like the "execute this attachment to see a movie of xyz nude". Or the signature virus: Hi! I'm a signature virus. Please add me to your signature and help me spread! Or this one: This is the polymorph virus! Follow these instructions carefully: 1. Send this message to everybody you know. 2. Format your harddisk. Thank you for your cooperation in spreading the most powerful virus ever! The problem with K might have less success... There even is a wikipedia article on it: http://en.wikipedia.org/wiki/Honor_system_virus -- The fastest way to get an engineer to solve a problem is to declare that the problem is unsolvable. No engineer can walk away from an unsolvable problem until it's solved. (Scott Adams - The Dilbert principle) /// Bram Moolenaar -- [EMAIL PROTECTED] -- http://www.Moolenaar.net \\\ /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\ \\\ download, build and distribute -- http://www.A-A-P.org /// \\\ help me help AIDS victims -- http://ICCF-Holland.org /// --~--~---------~--~----~------------~-------~--~----~ You received this message from the "vim_dev" maillist. For more information, visit http://www.vim.org/maillist.php -~----------~----~----~----~------~----~------~--~---