[Previous] [Next] [Index]
[Thread]
Re: ActiveX security hole reported.
Hi:
When I originally posted the note which started this thread,
I didn't quite appreciate the number of followups it would elicit.
Since Monday, I have tried the 'exploder' ActiveX control - it
downloads an ocx, and notes that the code is unsigned, and
possbily dangerous - you have to make a decision to accept the
risk.
ActiveX, Java, etc, are tools. It is in the nature of tools that they
are potentially dangerous, and it is generally true that the more
powerful the tool, the more dangerous it can be in uncautious or
unknowing hands. Knives cut fingers as well as steak.
The question arises - When is a tool too dangerous to be
given to people untrained in it's potential risks? Can a tool
be made safe, yet still be useful? Is ActiveX a straight razor
compared to the safety blade of Java?
* I think it's true that many users will click on 'OK' dialogs without
really considering the potential consequences.
* I think it's true that for a long time, many or most
ActiveX tools will be unsigned, and people will get used to
using them unsigned.
* I think it's true that Bad People will exploit security holes for
many reasons, from industrial espionage to vandalism.
ActiveX has me worried. I can think of many nightmare scenarios.
Here's one:
A Bad Person writes a truly useful little utility as an ActiveX control.
It does no overt harm to your system, but *does* patch MSIE to
disable signature checking on further ActiveX control downloads
if they contain a certain string of bytes.
I'll leave the consequences as an exercise to the reader.
Peter Trei
Senior Software Engineer
Purveyor Development Team
Process Software Corporation
http://www.process.com
trei@process.com
Follow-Ups: