Bugtraq mailing list archives
Re: Active X exploit.
From: frank.kargl () RZ UNI-ULM DE (Frank Kargl)
Date: Thu, 28 Aug 1997 11:36:14 +0200
Paul Leach wrote:
The actual answer: the last time I bought a CD-ROM based package. Take a look at "autorun.inf" on a CD-ROM.
Who says that this autorun mechanism is any better than ActiveX. The only difference is, that I usually buy a CD-ROM and if there's any harmful software on it, I'm able to hold my dealer responsible for it (in first instance). If I'm dowloading some piece of software from a Web-Server in Argentina things get a little bit more complicated.
ActiveX controls from a software vendor only automatically run if you have previously stated that you are willing to automatically run any signed code from that software vendor.
No one prevents a signed and otherwise harmless ActiveX to change the security level of MIE so that later controls (even unsigned) can do whatever they want to. To state it clearly: Signing is a method for authentication and NOT for security ! I think the problem with ActiveX is that Microsoft does it (as usual) the easy way (ala "Why should we implement any security when most of our users don't care for it anyway"). ActiveX has some kind of authentication but not the slightest touch of security. Java on the other side is relativly secure but suffered ('till the newer releases) from authentication. IMHO it's up to microsoft to catch up and get their security fixed. No Press Release can change the mind of anyone on this list. Regards ... Frank -- ----------------------------------------------------------------------- Frank Kargl (aka Comram) Computing Center,University of Ulm,Germany Email:frank.kargl () rz uni-ulm de http://www.uni-ulm.de/~fkargl/ ----------------------------------------------------------------------- Jetzt auch mit IPv6 Email: fkargl@5f04:fb00:863c:0:1:800:207b:c521
Current thread:
- Re: Active X exploit. Andreas Bogk (Aug 26)
- <Possible follow-ups>
- Re: Active X exploit. Paul Leach (Aug 26)
- Re: Active X exploit. Casper Dik (Aug 27)
- Re: Active X exploit. David Holland (Aug 27)
- Re: Active X exploit. Alan Cox (Aug 27)
- Re: Active X exploit. Lutz Donnerhacke (Aug 27)
- Re: Active X exploit. Paul Leach (Aug 27)
- Re: Active X exploit. Erik Tornstam (Aug 28)
- Re: Active X exploit. Frank Kargl (Aug 28)