John Becket wrote:
> Tony Mechelynck wrote:
> > Maybe you should set a config-time option (or create one) to
> > avoid any interaction with the shell?
> >
> > Even better: If you don't want ever to become the victim of
> > any exploit, turn your computer off at the wall switch and
> > leave it off.
> >
> > :-b
>
> I haven't studied this example, but as I understand it, the suggestion is
> that I
> could send you a file with a message like "What's the deal with this weird
> message
> that Vim gives? Open file xxx and search for yyy then press K."
>
> Jan is saying (I think) that following those instructions could execute
> malware.
>
> Sure, it will never happen to me or you, but if we were discussing Microsoft
> Word,
> most people would have no hesitation in declaring that such a vulnerability
> (press a
> key in a document to get owned) is just NOT acceptable.
>
> We aren't talking about mapping K to execute "system('dodgyfile')". K is
> performing
> its default function, but that function could exploit you if executed on
> certain
> text, with a certain file present.
>
> If my understanding is correct, I don't think it's reasonable to write this
> off with
> the "switch power off" joke (if I've got this wrong, please correct me).
It's more like the "execute this attachment to see a movie of xyz nude". Or
the signature virus:
Hi! I'm a signature virus. Please add me to your signature and help me
spread!
Or this one:
This is the polymorph virus! Follow these instructions carefully:
1. Send this message to everybody you know.
2. Format your harddisk.
Thank you for your cooperation in spreading the most powerful virus ever!
The problem with K might have less success...
There even is a wikipedia article on it:
http://en.wikipedia.org/wiki/Honor_system_virus
--
The fastest way to get an engineer to solve a problem is to declare that the
problem is unsolvable. No engineer can walk away from an unsolvable problem
until it's solved.
(Scott Adams - The Dilbert principle)
/// Bram Moolenaar -- [EMAIL PROTECTED] -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ download, build and distribute -- http://www.A-A-P.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
--~--~---------~--~----~------------~-------~--~----~
You received this message from the "vim_dev" maillist.
For more information, visit http://www.vim.org/maillist.php
-~----------~----~----~----~------~----~------~--~---
