[Bf-committers] Please turn off Auto Run Python Scripts by default

[Chad Fraleigh]

On Sat, Jun 8, 2013 at 11:55 AM, Harley Acheson <harley.acheson at gmail.com>wrote:

> Something quite important has to happen in order to turn a one-to-one
> attack into a virus-like problem.
>
> As "patient zero" I get the first bad blend. It can't immediately do
> something bad to me or that is the end of the infection as I will not be
> able to infect anyone else. Instead it needs to make it so that any new
> files I create (and/or old ones) contain the same bad behavior. Otherwise
> it can't replicate.
>
> So isn't the answer simple?  Just not allow a *script* to set any settings
> related to the auto-running of scripts?
>

Unless it manipulates the to-be infected files directly. Old boot sector
viruses could do what they needed in a few hundred bytes (if not far less)
and only with basic BIOS/DOS services available.. Now compare that with
what power a python script has at its disposal and try to imagine what it
"can't" do.

All that is needed is to get a [normally] "trusted" source of .blend files
to open one infected file with autorun (due to overconfidence, being
rushed, sleep deprivation, distracted by pets/kids/spouse, etc..) and now
everyone using future releases of their "trusted" files are at high risk.
This is Virus Propagation 101.

Even that [presumed safe] commercial DVD of blender media isn't 100% immune
to passing viruses along.. many years ago I worked somewhere in which there
was a virus on the mouse driver floppy as-is from the computer vendor.
While things like this are rare, they can happen (admittedly more so when
virus scanners were uncommon/non-existent).


-Chad