“In this issue:
Old myths die hard! There's no doubt that Internet Explorer has more than it's fair share of security holes, but very few of them have to do with ActiveX. Seriously, of the perhaps hundreds of vulnerabilities of any import reported in Internet Explorer over the years, I bet you could count on two hands the number related to ActiveX.
As with programs that have nothing to do with ActiveX, the really serious bugs in Internet Explorer have been due to insufficient input validation between security zones or traditional buffer overflows. These are the staples of the vulnerability research business, and Mozilla and Firefox—and let's not forget Opera—have had their share of these, too.
While there has been a striking lack of actual evidence that ActiveX is unsafe, there has been no shortage of baseless assertions and cheap shots against it.
Let's review: What exactly is ActiveX and what does it do that's supposedly so dangerous? ActiveX controls are packages of code that can run in the context of the browser. They are installable through a link on a Web page. Exactly how different is this from having a link to an executable file that you have to explicitly run? Essentially not at all, except that the ActiveX version is more convenient. Even with Firefox you can download and run an executable file. Does this make Firefox unsafe? In fact, Mozilla and Firefox's support for XPCOM, a plain text and platform-independent software model, is very comparable to ActiveX once you get the user to click "Yes."
The complaint against ActiveX has always centered around the ability to install native code from across the Internet, but this is less unusual than it seems, and ActiveX arguably makes things more secure. When you encounter an object tag referencing a control that you do not have installed, you then have the opportunity to install it. Under the default security settings, you will be warned before this happens and given an opportunity to approve or reject the installation. There's more.
Sun actually paid someone to write a malicious ActiveX control. I was there at JavaOne when they demonstrated it (I think it was 1997). The test system brought up all the warning dialogs about the program that you usually get and the Sun employee actually had the nerve to keep whacking on the enter key quickly so they would close as quickly as possible and didn't mention that there were any such warnings.
From the very beginning, ActiveX has supported digital signatures of the code, and the user gets a chance to inspect the signature. The point of the signature is not to prove that the program is safe or honest, but that the authors of the program are who they claim to be. In a way this has been a failure because it needs to be easier to follow all the signature information provided by ActiveX to understand exactly what it proves. But the information is there for whoever wants to confirm it.…”
http://www.eweek.com/article2/0,1759,1785769,00.asp“Multiple vulnerabilities that could allow an attacker to install malicious code or steal personal data have been discovered in the Mozilla Suite and the Firefox open-source browser.
Details of the nine flaws were published on Mozilla's security Web site over the weekend.
Ian Latter, senior security consultant at Internet security specialist Pure Hacking, said most of the vulnerabilities are based on the way the applications handle JavaScript.
"There are some permission issues related to running JavaScript at an escalated privilege level. They remove some of the security measures used to keep JavaScript sandboxed and allow it to potentially do malicious things to your computer," Latter said.
Another issue could allow malicious scripts to gain access to random pieces of memory, he said.
"This random memory may or may not contain pieces of information about where you have been browsing. The worst-case scenario is that it could contain some personal or login information," said Latter.…”
http://news.zdnet.com/2100-1009_22-5674883.html?tag=nl.e589
Posts
All Comments
