I've seen a number of files posted to Google Docs that I'm interested in reading, but I'm worried about the chance of a virus or other malware from opening it.

Is that a legitimate concern? Is there anything in place at GoogleDocs to prevent 'contagions' from hiding in a document?

(This includes but is not limited to documents linked to at this forum. I'm fairly confident that a doc that was infected, if such is possible, would be reported and the link noted/removed rather quickly here, but it's still a general concern.)

To my knowledge, it should be impossible to get a virus from opening a Google Doc. It's literally just text. Now, it's possible for links within the Doc to contain viruses, but so long as the link is to a real Google Doc, you should be safe.

Do note, I'm not the most tech savvy, so don't take my word as infallible.

To my knowledge, it should be impossible to get a virus from opening a Google Doc. It's literally just text. Now, it's possible for links within the Doc to contain viruses, but so long as the link is to a real Google Doc, you should be safe.

Do note, I'm not the most tech savvy, so don't take my word as infallible.

My understanding is that typically a virus from a website will be introduced in one of two ways. One is that the website itself has a script included in it to try and put the virus on your computer. Since the creator of a google doc isn't not the actual website creator, this is exceptionally unlikely. The other way is that a similar script is included in an advertisement that plays on the website. Again, as a google doc does not typically include ads, this is unlikely to infect you.

A third way to infect people is to try and convince them that the virus is a legitimate download (ie, that it is an update to flash or something) so that they will manually download and allow it. Its not strictly impossible that such a method could be included, say, as a link it will ask you to click, but the doc itself is safe in this case.

Is it theoretically possible? Maybe. Is it likely? No. Google has a lot of very smart people who are very concerned about security, and a virus distributed via simply opening and viewing a Google Doc would have to use a bug/exploit that they missed and haven't fixed yet - and since it's a web site, fixes are always up to date with the latest version. And that's on top of the browser's own document containment and sandboxing measures.

Be careful about anything that pops up a dialog and asks you for permission/confirmation, though, because if you say yes to one of those you're explicitly bypassing some important safeguards.

...One is that the website itself has a script included in it to try and put the virus on your computer. Since the creator of a google doc isn't not the actual website creator, this is exceptionally unlikely.

Not exactly. This avenue relies on the website having a malicious script on it, yes, but potentially anyone who can upload content to the website can also create such a script, depending on how the site is set up. In this case, there would need to be sufficient scripting functionality available from within Google Docs, but if there were and if it was unsecured, a user could create and embed a malicious script within a Google Doc.

However, as Douglas pointed, it's unlikely that will happen.

Be careful about anything that pops up a dialog and asks you for permission/confirmation, though, because if you say yes to one of those you're explicitly bypassing some important safeguards.

Or interact with it in any way, criminals have no compunction about lying, writing "no" on the yes button is trivial.

Or interact with it in any way, criminals have no compunction about lying, writing "no" on the yes button is trivial.
On older browsers, maybe. In recent years, all major browsers have made it so that the only way to pop up a dialog that can actually give a script permission to do something is to pop up a premade browser-supplied dialog that the script has strictly limited ability to customize. The message about exactly what it is you're giving permission for can be blatant lies, within certain limits, but which button says "yes" is fixed.

On older browsers, maybe. In recent years, all major browsers have made it so that the only way to pop up a dialog that can actually give a script permission to do something is to pop up a premade browser-supplied dialog that the script has strictly limited ability to customize. The message about exactly what it is you're giving permission for can be blatant lies, within certain limits, but which button says "yes" is fixed.
Ah, that's interesting.

I was thinking of the Win 10 update thing where closing the box is apparently taken as "yes", but that isn't in a browser.

As has been said, it's theoretically possible but extremely unlikely, particularly given that you're not talking about things you pulled up on some sketchy site to begin with.

I was thinking of the Win 10 update thing where closing the box is apparently taken as "yes", but that isn't in a browser.
I believe that is a slightly different situation: Windows was making you aware of an auto-update (or perhaps a download) and so if you don't hit Cancel, the OS continues to do what it is currently doing. Closing the window does not cancel the process, which is what most people would suspect.

You are right that it isn't related to what happens in a browser. For one, those browser programs don't have the variety to implement something like that. They need explicit permission from the user to even begin a download or running a program, either from clicking "Yes" on the prompt or by changing the settings in the browser. Just note that if you've change the settings in a browser to automatically allow any such programs - unlikely, but some people do so to visit some websites without hassle - then the website could possibly start running a program without your knowlege.

I believe that is a slightly different situation: Windows was making you aware of an auto-update (or perhaps a download) and so if you don't hit Cancel, the OS continues to do what it is currently doing. Closing the window does not cancel the process, which is what most people would suspect.

You are right that it isn't related to what happens in a browser. For one, those browser programs don't have the variety to implement something like that. They need explicit permission from the user to even begin a download or running a program, either from clicking "Yes" on the prompt or by changing the settings in the browser. Just note that if you've change the settings in a browser to automatically allow any such programs - unlikely, but some people do so to visit some websites without hassle - then the website could possibly start running a program without your knowlege.
The Win 10 thing was seen as devious by the people subjected to it.

I think we are probably overestimating the safety of following the herd in this, there are crooks out there, and they will do anything that's easy to get our money. There are supposedly a million lines of code in Windows, that's too much code for anyone to know everything about, a crook only has to understand one line at a time, and work out an exploit based on interactions between a few lines. I'm not saying it's easy to get access to the source code for windows, but a lot of people have access to the machine code, that's very difficult to read, but it can be done.

In a sense, viewing a GoogleDoc is approximately as safe as viewing this topic. One could nitpick that statement either way- Google has many more experts on their end to ensure things are safe, vBulletin is generally more restrictive on what you can do compared to a GoogleDoc so there's less "holes" to poke through, GoogleDocs is a thing from a big company so it's a bigger target for anyone trying to be malicious for the sake of being malicious, GitP is a smaller website so it's an easier target for someone who just wants to watch the world burn, and so on- but I think that's a good napkin comparison.

In other words, do you feel lucky? safe? Do you? :smallwink:

Difficult if not impossible, I'd think. I've read dozens of google doc articles and never had any issue that I would attribute to it.