i also, in total ignorance, have a tinge of wonder as to whether something
we haven't yet defined in MIME, or something we defined incorrectly, might
have some bearing on this. i can't define that any better than that,
though it seems maybe there could be some way of marking "this part
will be executed".
Part of the problem is that the predecate "can be executed" (or more
precisely, "can have harmful side-effects if evaluated/presented on
your computer") evaluates to "true", under some circumstances, for
essentially everything - including plain text if being viewed on
a terminal with a programmable answerback sequence. It's certainly
true for most word processor documents, spreadsheets, presentation
formats, etc. These formats were designed for maximum flexibility
rather than maximum security.
MIME content-type registration rules tried to deal with this by requiring
the person registering a content-type to analyze and document security
considerations of that type. That was intended to serve as a warning to
implementors to allow them to provide effective countermeasures.
Unfortunately, one major vendor decided to disregard the content-type and
make dispatching decisions based primarily on the filename suffix - thus
bypassing MIME's carefully crafted compromise between security and
flexibility.
Keith