<OT> VBscript in html: Security threat?
Condon Thomas A KPWA
tcondon
Mon May 17 11:51:42 PDT 2004
Joel Hammer wrote:
> I see that vbscript can be embedded in html.
>
> Javascript was written to make it very hard to attack the client
> computer, whereas vbscript doesn't have these safeguards built in,
> does it? VBscript can do a lot of stuff, like write to your hard
> drive and run windows software. It really is a beaut.
But we know *everybody* wants to run windows software. This is a *favor*
they are doing us.
> It would seem like child's play to encode malicious things in vbscript
> and let the IE users get whacked. If IE somehow was protected against
> running this program, it would be easy to make a vbscript a payload
> (cool screen saver!) and then have the unlucky user click on it and
> run it.
That's been done, both ways.
> What am I missing?
Nothing.
> Who in his right mind would use vbscript over javascript in their
> html, anyway? Why would you keep out anyone not using IE and a modern
> version of windows? (Let me guess. People who use MS development
> products.)
People force into it by management. No one ever got fired for buying IBM
products, nor Microsoft software.
Precisely. Windozers use M$ tools that deliberately use non-conforming HTML
and VBScript so you can't see the pages correctly without IE. Only if you
wake up and get a clue can you break out of the box.
Tom :-})
Thomas A. Condon
Plain Text Emails Don't Pass Viruses!
More information about the Linux-users
mailing list