Scripsit ille Tim Hammerquist <tim@vegeta.ath.cx>:
> Rudolf Polzer graced us by uttering:
> >> But if there's an image viewer that extracts native binary
> >> code from the depths of the encoded image file and executes
> >> it, you have a very poor (or custom) viewer.
> > 
> > Quake2 contained a backdoor that allowed the ID Software subnet
> > to send console commands to the Q2 server (after some time, the
> > backdoor was removed). So how do you know if IrfanView has a
> > backdoor? You can't unless you have the time to disassemble it.
> 
> I can't be sure that IrfanView doesn't.  But I don't use
> IrfanView.  In any case, if IrfanView _does_ execute binary code
> within a JPG file, it would (1) only work on binary-compatible
> machines

No problem, IrfanView also only works on binary-compatible machines.

> and (2) come under the "very poor...viewer" description

ACK.

> above.  Q2 had a specific reason to check for code from the net,

It doesn't.

[...]
> > Of course. Even more correct: under any circumstances, no part
> > of an image file should be executed.
> 
> Except for Q2's use of this above?  Or are you agreeing with
> their decision to stop this behavior?

Of course. Using console commands, it was not only possible to check and
set game settings. It's possible to change to any directory and write to
demos/*.dm2 or save/*.sav files there and to list any directory's
contents. IMHO that is too much: remotely filling a hard drive.

> >> IRC-boys will always try to tell you to download programs to
> >> erase your HD, or at least your $HOME dir, whether they
> >> promise to deliver "50% better performance" or just give you
> >> the latest Britney pix.
> > 
> > I never met one who tried. I'm in the wrong channel... all I
> > get are mails with 0190 dialers for Windows that supposedly
> > allow access to XXX sites. As if I needed them and was too
> > stupid to find free ones... but these dialers don't work
> > because I don't have a modem/ISDN card and because I don't have
> > Windows.
> 
> I don't frequent these channels either, but I keep seeing usenet
> posts from victims of the "performance improvement" variety.
> I've met one person on IRC who offered me a build of rpm for my
> linux box, but I declined.

Why didn't you take the RPM, check what it's doing (often these lamers
use shell scripts for that) (especially the POSTINSTALL part),
recompress and rename it and send it back to the idiot?

> >> I guess I'm just describing virii that depend on user
> >> ignorance,
> > 
> > You mean - for example - using OE for external mail and news?
> > ^_^
> 
> I'm not sure that's a fair accusation...
> 
> ...but it's true.  ;)

And for example Kak depended on it.

> > And Windows does not have many flaws (except design flaws -
> > Windows *is* one).
> 
> Windows _does_ have flaws.

I meant security flaws.

> How many times has Explorer crashed on me?

It runs with the same privileges as you, so you cannot exploit it.
I only know these NetBIOS flaws that allow anyone to remotely produce
bluescreens (they may be exploitable, but I did not check with SoftICE).

> If there is any more integral part of Windows than Explorer

VMM32?

> I've yet to have the pleasure of removing it from my hard drive.
> =)

Which is really hard with the explorer. You can change the shell, but
any program that has a file-open dialog will use the Explorer for that.

But even worse about Windows: you cannot change the window manager.

-- 
To view the lower part of this signature, apply ROT13 to the whole message.
Gb ivrj gur hccre cneg bs guvf fvtangher, nccyl EBG13 gb gur jubyr zrffntr.