[cap-talk] languages as interfaces/macros and functions in
communication
David Mercer
radix42 at cox.net
Tue May 11 06:24:55 EDT 2004
At 08:35 PM 5/10/2004, you wrote:
>At 04:25 AM 5/8/2004, Jonathan S. Shapiro wrote:
>>On Sat, 2004-05-08 at 02:57, John Carlson wrote:
>> > Does someone know how to
>> > 1. break my printer with PostScript? Or
>> > 2. break my display with Display PostScript?
>> > 3. Ever hear of a PDF document carrying a virus?
>>
>>Yes, yes, and yes.
>
>1. Sounds to me like a hardware problem to me. I don't believe software
>(even a driver) should be able to "break" a printer.
No, you see PostScript is a rendering language very similar to
FORTH. Rendering a PostScript document for display/printing on
a particular device IS the act as running a PostScript program.
One can indeed craft PostScript code that will cause physical damage
to a printer, albeit with great difficulty. But as pointed out
in another branch of this thread, if the PostScript interpreter in
question is running on your PC, Surprise! it can do any damn thing
it wants to your machine, just like any other binary in our cursed
world without POLA.
>2. By "break" I guess you mean it displays garbage? Of course
>that can happen. That doesn't sound particularly serious to me.
>Presumably it could deliberately "draw" garbage.
See my reply to 1. above :-)
Yes, you could embed system calls that drive a monitor at a refresh
rate it can't handle (if the video card will do high enough above what
it's rated for). Viruses that will cause a machine to emit smoke, hence
'smokers' have been written. But those wouldn't be likely to be in a
postscript file, and even the very naughty persons who've fooled with
such things seem to know better than to release them into the wild;
something in your bones just has to tell you that frying monitors on
a netsky type infection scale would get you good and screwed.
>3. Sigh. This is of course an example of the sort of thing we are
>all trying to eliminate (greatly reduce) as an issue. Namely the fact
>that a renderer like the Acrobat reader would even be a potential
>source of a virus infection. One can of course stay updated with
>the latest free reader, but what about the software that Adobe
>charges for (e.g. Acrobat, distiller, etc.)? Do I have to keep buying
>new versions just to be protected from security vulnerabilities
>in the previous versions? E.g. the last update for Acrobat 4.x
>was in July of 2000.
No, as we're not talking here about a virus that infects the Acrobat
executable, but rather hostile PostScript/EPS/DPS/PDF programs.
Pretty much the exact same situation as Word macros (hostile executable
content) from a security engineering perspective, but with the added
fun that PostSript sent to a printer is a program interacting with the
physical world.
Cheers,
David Mercer
Tucson, AZ
More information about the cap-talk
mailing list