Malware Triangle

[Ant]

that's an embellishment... it says "here's a script", i'll give you
that, but that's about it...

And those embelishments contribute to the whole, and are the problem
with respect to malware issues.

markup languages don't tell their associated readers what to do, they
label various sections of data in a document as being of type X and/or
having property Y... the associated reader decides what to do with the
data in part based on the semantic meaning those labels (or tags)
add... tags don't instruct, they describe...

The effect is the same, as far as a permissively configured browser is
concerned, when it interprets html with embedded executable content.

only because the convention for 'rendering html' in practice includes
handing scripts and other embedded objects off to their associated
handlers/subsystems/etc in addition to straight html rendering...

This is why I originally said it should be considered a programming
language, although you and I know that in its pure form it is not.
Html has evolved to allow all sorts of constructs and active content
which we might think inappropriate for a text markup language, but
was thought necessary to enhance hypertext for the web experience.

An html text file with the "embelishments" effectively becomes one
script containing not only layout and display descriptions, but
references to executable objects, and program source code which will
be interpreted and run in a suitably configured browser. Perhaps I
should not have called this conglomeration "html" in my original post
to this thread.

 

[kurt wismer]

And those embelishments contribute to the whole, and are the problem
with respect to malware issues.

i actually meant that it was an embellishment on your part, not the
designers part, nor html's part...

The effect is the same, as far as a permissively configured browser is
concerned, when it interprets html with embedded executable content.

browsers don't define html... the 'effect' may very well be the same
but the fact is that html does not have instructions, it has tags... if
tags were instructions they'd be called instructions...

This is why I originally said it should be considered a programming
language, although you and I know that in its pure form it is not.
Html has evolved to allow all sorts of constructs and active content
which we might think inappropriate for a text markup language, but
was thought necessary to enhance hypertext for the web experience.

i reiterate - those are *not* part of html... what html has is the
ability to act as a container for non-html content, nothing more... it
is no different than an archive format in that respect...

An html text file with the "embelishments" effectively becomes one
script containing not only layout and display descriptions, but
references to executable objects, and program source code which will
be interpreted and run in a suitably configured browser. Perhaps I
should not have called this conglomeration "html" in my original post
to this thread.

that conglomeration is an html document, but it is not html...

here's an obvious distinction - it is possible to have a browser that
fully complies with the html standard and yet does not (even can not)
execute the additional content contained within html documents they
display (think lynx, or maybe arachne), just as there are email clients
that do not (even can not) execute the additional content contained
within the emails they display...

would you condone emails being called programs in spite of the fact
that the specifications for email do not include mention of
instructions to be carried out when encountered in the email body? why
should html documents be considered any different? they are containers
of arbitrary content and their respective readers may be (often are)
configured to execute some of that content automagically...

 

[Richard S. Westmoreland]

that conglomeration is an html document, but it is not html...

Isn't that the point he is trying to get across? I don't think he's talking
about the philosophical nature of html as a syntax. I think he's refreing
to the document itself and what it does when it is opened.

Rick

 

[Leythos]

Isn't that the point he is trying to get across? I don't think he's talking
about the philosophical nature of html as a syntax. I think he's refreing
to the document itself and what it does when it is opened.

HTML documents don't do ANYTHING when opened, the processing engine in
the application opening them does the rendering. Which means, if you
were using a secure application that nothing bad could happen. It's not
the fault of the HTML document, it's the rendering application.

If you want to blame something, blame the scripting language which has
it's code embedded in the HTML document - HTML is relatively safe, only
the scripts that are embedded in it, which are not HTML, are unsafe.

You can open the script by itself and get the effect, and without the
HTML page too.

 

[Richard S. Westmoreland]

HTML documents don't do ANYTHING when opened, the processing engine in
the application opening them does the rendering. Which means, if you
were using a secure application that nothing bad could happen. It's not
the fault of the HTML document, it's the rendering application.

If you want to blame something, blame the scripting language which has
it's code embedded in the HTML document - HTML is relatively safe, only
the scripts that are embedded in it, which are not HTML, are unsafe.

We're not trying to "blame" something, just classify the threat. Okay let
me rephrase my last statement.

I think he's refering to the document itself and what is the result when it
is opened.

People don't send you buggy rendering processing engines to inflict damage.
The bad software is the exploitable, the html "file" is the exploit (html
plus embedded junk), and the whole thing is the threat.

You guys are now arguing just argue.

Rick

 

[Leythos]

We're not trying to "blame" something, just classify the threat. Okay let
me rephrase my last statement.

I think he's refering to the document itself and what is the result when it
is opened.

People don't send you buggy rendering processing engines to inflict damage.
The bad software is the exploitable, the html "file" is the exploit (html
plus embedded junk), and the whole thing is the threat.

But I disagree, the HTML is not the problem, neither is the script, it's
the fact that the user is running a app that allows certain programming
flaws to be exploited.

If I were to render HTML pages with FireFox, the script, based on my
settings in FireFox, would not even be a small threat, in fact, it's not
a threat at all. If I were to render the HTML in IE, were it configured
properly, it would also not be a threat.

What you can say is that scripts embedded in HTML are a threat to some
applications, but, since you can run a script without any HTML being
present, HTML is not a threat - it's just the part that gets seen and
therefor gets blamed.

This is akin to saying that Needles are a threat in all forms - which is
not true, it depends on the contents that are not part of the needle.

If I load the malicious script on my web site, with no HTML, and pass
you the URL, you will have just as much opportunity to see the malicious
results as if I had embedded it in a HTML page.

You scope of realization is too narrow in this idea.

Oh, one other thing - I only argue to argue when I'm arguing with Family

 

[Richard S. Westmoreland]

This is akin to saying that Needles are a threat in all forms - which is
not true, it depends on the contents that are not part of the needle.

My perspective on this debate, is that some needles are threats. Those
threatening needles are threats. Needles in general are a potential threat,
but not an ative threat. But aren't we talking about the needles that *are*
threats? Isn't that what this branched-off debate it about? I think it's
the needles that killed the horse.

I think it comes down to whether you have reactive mentality or proactive
mentality. Some people will look at that html file and think "it's just
data, it is harmless right now, so it is not threatening", and some people
think "it's data, but how many different ways can this affect me given x and
y scenario".

Rick

 

[Roger Wilco]

We're not trying to "blame" something, just classify the threat. Okay let
me rephrase my last statement.

I think he's refering to the document itself and what is the result when it
is opened.

People don't send you buggy rendering processing engines to inflict damage.
The bad software is the exploitable, the html "file" is the exploit (html
plus embedded junk), and the whole thing is the threat.

You guys are now arguing just argue.

Just like "e-mail is a threat" - well, it is (or can be). But arguably it is the extension to e-mail (MIME) that is the threat
because without it we would have only text (like the good old days) - but wait...MIME itself isn't bad, it is a container
for the multipurpose extended content which can be HTML or attached content or script within HTML or whatever
that is extracted from their containers and executed by the mail client's use of OS resources. To guard against such
threats as e-mail you could set a policy to not allow any - but all you really needed to do is not allow the script to run.
Same with HTML files in general - you wouldn't need to disallow HTML to stop the threat, only the scripting. It is
best to look at what is actually the threat instead of labelling all HTML as dangerous.

 

[kurt wismer]

Isn't that the point he is trying to get across? I don't think he's talking
about the philosophical nature of html as a syntax. I think he's refreing
to the document itself and what it does when it is opened.

yes, but he's said things like you can make programs with html, which
is false...

even an html document is not a program, it is a container that *may*
house one or more programs (not unlike a word document, actually)...

 

[Ant]

i actually meant that it was an embellishment on your part, not the
designers part, nor html's part...

Ok, the capable browser says "Ooh look, a script tag! That means I can
run what's inside. Oh well, if you insist...", or words to that effect.

browsers don't define html...

I know.

the 'effect' may very well be the same
Yes.

but the fact is that html does not have instructions, it has tags... if
tags were instructions they'd be called instructions...
Indeed.


i reiterate - those are *not* part of html...

I know.

what html has is the
ability to act as a container for non-html content, nothing more... it
is no different than an archive format in that respect...

It is different, in that the intention is for a browser to run that
content. I don't expect that when I open an archive.

that conglomeration is an html document, but it is not html...

The whole thing is effectively one script for a web browser to
interpret and act upon as it sees fit.

here's an obvious distinction - it is possible to have a browser that
fully complies with the html standard and yet does not (even can not)
execute the additional content contained within html documents they
display (think lynx, or maybe arachne),

True, but they are not as widely used as the ones that do. Many people
using popular browsers do not have them (or their operating system)
configured safely.

just as there are email clients
that do not (even can not) execute the additional content contained
within the emails they display...

would you condone emails being called programs

I'm not comfortable with calling email or html documents "programs",
but was suggesting they should be treated as such because of the way
they are mostly handled.

in spite of the fact
that the specifications for email do not include mention of
instructions to be carried out when encountered in the email body?

Email specs don't say a lot of things. When companies such as MS seek
to redefine email, enable processing of rich and executable content in
their email clients, and encourage users to accept this paradigm, we
have a problem when their software is so widely used.

why should html documents be considered any different?

Perhaps they shouldn't (because of the way emails are often handled).
However, the difference for me is that I expect and want to run
active content in some trusted webpages, but I never do with emails.

they are containers
of arbitrary content and their respective readers may be (often are)
configured to execute some of that content automagically...

They are containers, but any executable content is in them for the
purpose of being run. You might say that an exe file is a container
of machine code and data. If I open it with a loader it will be run.
If I open it with a debugger I can choose to run some of it, and
display the data within (bitmaps, etc.). If I open it with dependency
walker it won't be run. Granted, you will always expect an exe to be
run when loaded by the OS, but you won't necessarily expect that for
the scripts in an html document loaded by a browser.

 

[Ant]

"kurt wismer":

Isn't that the point he is trying to get across? I don't think he's
talking about the philosophical nature of html as a syntax.

I'm not. I know that html is not a programming language; I said so in
my original post.

I think he's refreing
to the document itself and what it does when it is opened.

Yes. I'm referring to the whole document, what it contains, and what
browsers are expected to do with it all when they open the document.

I said that html should be considered a programming language. The
reason being, that it allows you to create, in effect, a single script
for a browser to process, parts of which may be executable. That
statement is what sparked off this sub-thread. In retrospect, I
probably should have chosen my words more carefully.

 

[Randall Bart]

'Twas Wed, 1 Dec 2004 14:49:43 -0500 when all alt.privacy.spyware stood in

My perspective on this debate, is that some needles are threats. Those
threatening needles are threats. Needles in general are a potential threat,
but not an ative threat. But aren't we talking about the needles that *are*
threats? Isn't that what this branched-off debate it about? I think it's
the needles that killed the horse.

I volunteer to help carry out the horse when y'all are through beating it.

--
RB |\ © Randall Bart
aa |/ (e-mail address removed) (e-mail address removed)
nr |\ Please reply without spam I LOVE YOU 1-917-715-0831
dt ||\ Do the Math: http://calculator.brainthru.com
a |/ Our New Attorney General: http://alberto.brainthru.com
l |\ DOT-HS-808-065 The Church Of The Unauthorized Truth:
l |/ MS^7=6/28/107 http://yg.cotut.com mailto:[email protected]

 

[Richard S. Westmoreland]

I think it's

I volunteer to help carry out the horse when y'all are through beating it.

You can have the horse now, I'm through with it.

Rick

 

[kurt wismer]

Ant wrote:
[snip]

I'm not comfortable with calling email or html documents "programs",
but was suggesting they should be treated as such because of the way
they are mostly handled.

ok, lets compromise....

i'll agree that visiting web pages often poses a risk of malicious code
execution if you'll agree that it is not the html language but the
value-added web browsing experience that browser developers have
created that poses the real risks...

 

[xmp]

yes, but he's said things like you can make programs with html, which is
false...

even an html document is not a program, it is a container that *may*
house one or more programs (not unlike a word document, actually)...

ah, shut up. you can tell the programmers from the non-programmers in
this thread.

Kurt is an idiot (as usual).

michael

 

[xmp]

ok, lets compromise....

i'll agree that visiting web pages often poses a risk of malicious code
execution if you'll agree that it is not the html language but the
value-added web browsing experience that browser developers have created
that poses the real risks...

and what about the GDI+ exploit? unless you consider the rendering of
images to be a value-added web browsing experience.

folks, Kurt is the resident alt.comp-anti-virus troll (and village
idiot). just put him in the PLONK file and be done with it.

michael

 

[Roger Wilco]

ah, shut up. you can tell the programmers from the non-programmers in
this thread.

Programmers are often ignorant of computer science, but most computer scientists do know what programs are and are not.
From your statement I would class you as non-programmer but for the fact that I know many programmers that don't know
how stuff works. The fact is that programming languages are designed to enable programming by the clueless. The state of
being a programmer does not mean the person has a clue.

Kurt is an idiot (as usual).

For an idiot he sure knows what he is talking about. A W32 executable may need some translation to be made into an
executable image, but it is a program file even though it is sort of like a container. Sending it as inline content in an HTML
w\scripting email does not make the email a program any more than does archiving it in a zip file make the zip file a program.

 

[xmp]

Programmers are often ignorant of computer science, but most computer scientists do know what programs are and are not.
From your statement I would class you as non-programmer but for the fact that I know many programmers that don't know
how stuff works. The fact is that programming languages are designed to enable programming by the clueless. The state of
being a programmer does not mean the person has a clue.

it's just a semantical game. persons jump on this thread as if it means
something, but it's simply wasted bandwidth IMHO. there are multiple
definitions for program (look it up for proof) and it's nothing more
than a classic lumping / splitting taxonomical issue.

michael

 

[Leythos]

it's just a semantical game. persons jump on this thread as if it means
something, but it's simply wasted bandwidth IMHO. there are multiple
definitions for program (look it up for proof) and it's nothing more
than a classic lumping / splitting taxonomical issue.

You don't have to participate in the thread if you don't want too. Since
this is a very low bandwidth group, and the subject is on topic, you can
choose to rise above all of us and ignore it

 

[Ant]

Ant wrote:
[snip]

I'm not comfortable with calling email or html documents "programs",
but was suggesting they should be treated as such because of the way
they are mostly handled.

ok, lets compromise....

i'll agree that visiting web pages often poses a risk of malicious code
execution if you'll agree that it is not the html language but the
value-added web browsing experience that browser developers have
created that poses the real risks...

I reckon I've said all that I wanted to say about the issue. This sub-
thread has gone on long enough, and people are getting tired of it. I
also don't like the cross-posting, although I read all the groups
apart from alt.privacy.spyware.

I understand your position, and I don't fundamentally disagree with
it. So, as Andrew Wiles said when he thought he had cracked Fermat's
last theorem, "I think I'll stop here". That reference to prof Wiles
is irrelevant, I just wanted to use his words. Let's not argue about
that