[Previous] [Next] [Index]
[Thread]
Re: ActiveX security hole reported.
On Fri, 16 Aug 1996, Peter Trei wrote:
> ActiveX, Java, etc, are tools. It is in the nature of tools that they
> are potentially dangerous, and it is generally true that the more
> powerful the tool, the more dangerous it can be in uncautious or
> unknowing hands. Knives cut fingers as well as steak.
True, and guns kill good guys as well as bad. However, we make a
reasonable effort to at least ensure that those with guns know how
to operate them, so they don't pull the trigger asking "what's this
lever do?"
ActiveX places a fully loaded shotgun in the hands of every MSIE
user, conveniently preconfigured to aim at their own face.
> The question arises - When is a tool too dangerous to be
> given to people untrained in it's potential risks? Can a tool
> be made safe, yet still be useful? Is ActiveX a straight razor
> compared to the safety blade of Java?
Ooh, I like this analogy.
> [snip many good points about people clicking OK mindlessly and such]
>
> A Bad Person writes a truly useful little utility as an ActiveX control.
> It does no overt harm to your system, but *does* patch MSIE to
> disable signature checking on further ActiveX control downloads
> if they contain a certain string of bytes.
Now that's peering into the mind of the ubercracker.
If only someone at MS would have done the same.
Worry about ActiveX, folks. This is not empty FUD. These are not
anti-MS scare tactics. Signature verification is forced by default,
which is fine, but this can and will be disabled by end users,
regardless of local policy. The line about intranets is just that, a
line -- this is an Internet tool and will be used as such.
Java viruses will spread through implementation defects and ActiveX
viruses by design. If I sound scared, it's because I am.
-PSP
References: