Hi,

I have bery little experience with Applescript, but the recent uproar about VBS worms created on windows makes me want to know more about the potential for abuse that applescript offers.

Does anyone do scripting in Visual Basic on PCs, and using applescript? I'm curious if either applescript is not as powerful as vbs, or if there just aren't enough "hackers" out there to have started created applescript worms that send mass mails through outlook express or eudora.

thanks for your opinions.

[mjpaci]

There are AppleScript worms out there. They're just not as common. Hang around on a few HotLine servers and you're sure to catch a few.

--Mike

applescript worms are easy to create. but it's not possible to make them start by just opening an e-mail. let's hope ms doesn't introduce this <innovation> in its next version of outlook for the mac...

An important distinction is that there is no option for Applescripts to be run automatically when reading an EMail message as there is for VBScripts to be run automatically by Outlook on Windows. People that left that on (I think its a DEFAULT) got hit by the virus without even explicitly downloading the attachment.

[tsheley]

I am a programmer that uses VB and VBS. The VBS script is not run automatically by Outlook. The user has to double click it and open the script first in order for it to run. I just wanted to clear up that the VBS can sit in the user's Inbox forever and be fine until they double click the VBS file.

Actually, if you look under Tools>Options>Security>Attach ment Security... the "Low" security option in conjuction with a preview pane being used will cause the script to be run automatically if the message is viewed, no download. This affected several of the PeeCee users I am asked to support here. While nobody should have chosen this, it should not even be an option!

For an AppleScript to be run, it must first
be opened in the "Script Editor" and then
the USER has to click "run"...
---OR---
It must have been compiled into an AppleScript
application - in which case it's just like any other application you receive via email.

The problem with VBS is that it comes as a text file, that is run (not opened in an editor) when double clicked.

Most Anti-virus warn you of any executable you receive, but text files?? No warnings.

Applescripts need to be compiled to run -- as a virus. An unscrupulous developer could pre-compile an Applescript application as a runtime, however, in order for anything to work properly in applescript, one needs to know the names of things like startup drives and locations of folders. In order for scripts to really work cross-computer, the scripter must use a routine called double-tell -- which kind of abstracts name-spaces between computers, -- without this, the end user would have to edit the script or tell the "virus" where to do its work.

Applescripts also have short wait times -- so if someone set a routine to find a Eudora folder, the script most likely would time out before the thread for finding the folder would complete. While threads are running, the script is also very stoppable, and very visible. An applescript-virus might run, but it won't get very far before the end-user would be able to figure things out -- and stop it.

Also, there are very few hooks directly into the system, and software is not quite wired for Applescript to begin with. In other words, not everything in an application is scriptable; ususally, only the most basic commands are scriptable (open, print, quit, and run are usually required) and WHAT is scriptable is determined by what the developing company has made scriptable. Also, the mechanism for doing things in Applescript is very much like doing macros... Sending email in Eudora, for example, (oh, and Eudora and Eudora Pro have completely different Applescript implementations), one could script to send an email in a user's address book, the script can compose the message, but there's no mechanism for automatically sending all those emails. In terms of the system, without the help of some helper applications, OSAX's, or whatnot, it's not easy to say, make an applescript to automatically restart a computer... and there are dialog boxes that automatically pop up (via the system) so that users don't automatically empty their trash without knowing it, or other very damaging actions.

Next, scripts are binaries that are stored in the resource fork, not the data fork of the document... so compiled runtime scripts would have to be binhex'd or stuffed in order to be sent through emails.

There may be ways around all this (ways I haven't explored yet)... but you know, it's a lot more difficult to exploit Applescript for a virus. MS, in their aim to "please" developers, have also left there system wide-open for attacks, especially VBS and Exchange. Hackers have repeatedly pointed out the holes to anyone who will listen -- so why isn't it MS's fault for not fixing them? -- the reason lies in the fact that in order to backtrack and fix the holes, MS would face a terrible developer backlash and a PR nightmare. I think MS fears fixing these "undocumented features" more than a silly anti-trust trial. -- Just look at Billy's lame excuse for not breaking up MS: Don't break us up, we won't be able to respond to viruses?! Excuse me, but I don't recall any Microsoft-branded virus protection software...

Just to be clear, AppleScripts can access the startup drive by referring to it as "the startup drive". They can also be told _not_ to wait for a response to an action, so that they could, say, delete a whole bunch of files and quit before the action is completed. (That's the "ignore ..." command, I believe.)

So they can in fact be very dangerous, but most mac e-mail clients don't auto-run them. That's the key. This whole thing could have been avoided if the most basic security precautions were followed by MS as well as users.

[P]

To clarify a bit on Outlook and VBS: There is a setting in the Internet control panel on windows. If set to high, the script won't run unless doubleclicked. If set to low, it will run automatically. If set to medium, Outlook will present a comnfirmation dialog before running.

The problem is that even if set to high, many people double-click the attachment if they recognize the sender. Hopefully they will have learnt the lesson now...

[tsheley]

You are right. I just thought nobody would actually turn that option all the way off. Why would Microsoft even give that as an option?