funsec mailing list archives
Re: Microsoft issues IE update to get around the Eolas patent
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Wed, 01 Mar 2006 16:09:49 +1300
Dude VanWinkle to Richard M. Smith:
I wonder how many Web sites this Microsoft patch will break.......
Well, they don't outright break -- unless I misunderstood something, the user simply has to click the control an extra time before they can _directly interact_ (including via script embedded in the page) with the control, but (initial) dynamic content played or displayed by the control will still activate.
After you install this update, you cannot interact with ActiveX controls from certain Web pages until these controls are enabled. To enable an ActiveX control, manually click the control.I wonder how much spyware this will prevent from being installed?
It will have the _opposite_ effect. To get around the user having to manually "activate" the control by clicking it, web author's can ensure that the control is "dynamically instantiated" (my term), and thus immediately activated, via script, rather than being "passively" instantiated the old (aka "infringeing") way (i.e. via APPLET, EMBED or OBJECT tags in the main page -- this is effectively what the patent rules out), thus requiring "activation". What all that means is that web authors will, and rather quickly I suspect, move to this new construction to get their ActiveX controls enabled and so the pressure on browser users to move back to having MORE script-enabled sites or even more script-enabled security domains in IE will increase, so we will see MORE script-based silliness, including compromises and the like. This move is even more reason to abandon IE totally. MS should have taken its loss in the Eolas patent case, combined it with Billy Boy's previous, well-publicized insistence that security is now really more important than functionality, and used that as the raison d'etre for finally killing its shitty pile of security holes that passes with some as a miserable excuse for a web browser. It didn't, so we have yet more evidence that, despite Billy Boy's publicly released memo, security is really only more important at MS now if it's _wholly convenient_ for it to be more important. In other words, despite all the grandstanding in the media, actually very little has changed at MS viz security... Regards, Nick FitzGerald _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Microsoft issues IE update to get around the Eolas patent Richard M. Smith (Feb 28)
- Re: Microsoft issues IE update to get around the Eolas patent Dude VanWinkle (Feb 28)
- Re: Microsoft issues IE update to get around the Eolas patent Nick FitzGerald (Feb 28)
- Re: Microsoft issues IE update to get around the Eolas patent Matthew Murphy (Mar 01)
- Re: Microsoft issues IE update to get around the Eolas patent Nick FitzGerald (Feb 28)
- Re: Microsoft issues IE update to get around the Eolas patent Dude VanWinkle (Feb 28)