Rudolf Polzer graced us by uttering:
>> But if there's an image viewer that extracts native binary
>> code from the depths of the encoded image file and executes
>> it, you have a very poor (or custom) viewer.
> 
> Quake2 contained a backdoor that allowed the ID Software subnet
> to send console commands to the Q2 server (after some time, the
> backdoor was removed). So how do you know if IrfanView has a
> backdoor? You can't unless you have the time to disassemble it.

I can't be sure that IrfanView doesn't.  But I don't use
IrfanView.  In any case, if IrfanView _does_ execute binary code
within a JPG file, it would (1) only work on binary-compatible
machines and (2) come under the "very poor...viewer" description
above.  Q2 had a specific reason to check for code from the net,
but even this was apparently deemed not worth the risk.  As
IrfanView has no reason whatsoever to either expect or interpret
network code in a file, any attempt by IrfanView to do so would
be a grave, serious, and generally Bad(TM) misfeature.

>> Under any normal circumstances, no part of an image file
>> should be "executed."
> 
> Of course. Even more correct: under any circumstances, no part
> of an image file should be executed.

Except for Q2's use of this above?  Or are you agreeing with
their decision to stop this behavior?

[ snip ]
>> But if you go around downloading just anything from the web
>> without considering its source, you're going to get screwed.
> 
> Which meaning of the word "source" do you mean? The author of
> the program or its code?

source =~ origin

>> IRC-boys will always try to tell you to download programs to
>> erase your HD, or at least your $HOME dir, whether they
>> promise to deliver "50% better performance" or just give you
>> the latest Britney pix.
> 
> I never met one who tried. I'm in the wrong channel... all I
> get are mails with 0190 dialers for Windows that supposedly
> allow access to XXX sites. As if I needed them and was too
> stupid to find free ones... but these dialers don't work
> because I don't have a modem/ISDN card and because I don't have
> Windows.

I don't frequent these channels either, but I keep seeing usenet
posts from victims of the "performance improvement" variety.
I've met one person on IRC who offered me a build of rpm for my
linux box, but I declined.

>> I guess I'm just describing virii that depend on user
>> ignorance,
> 
> You mean - for example - using OE for external mail and news?
> ^_^

I'm not sure that's a fair accusation...

...but it's true.  ;)

> Don't you read Bugtraq and Securityfocus?

No.  I watch <http://theregister.co.uk/>.

> And Windows does not have many flaws (except design flaws -
> Windows *is* one).

Windows _does_ have flaws. How many times has Explorer crashed on
me?  If there is any more integral part of Windows than Explorer
I've yet to have the pleasure of removing it from my hard drive.
=)

Tim Hammerquist
-- 
How do I type "for i in *.dvi do xdvi i done" in a GUI?
    -- discussion in comp.os.linux.misc