funsec mailing list archives
MoAxB - A month ain't long enough for ActiveX
From: "Richard M. Smith" <rms () computerbytesman com>
Date: Thu, 3 May 2007 19:30:34 -0400
FYI. I actually think that a year plus is needed to list all of the security and DoS bugs in ActiveX controls. A few days ago, I reported a crash bug to the Microsoft security folks in their newly release Silverlight ActiveX control (See http://www.microsoft.com/silverlight/install.aspx). I'm not sure if the bug is exploitable or not. Delivering a secure/DoS-free ActiveX control wirtten in C/C++ on the first try appears to be an impossible task..... Richard _____ Web site: http://moaxb.blogspot.com/ http://www.securityfocus.com/brief/495 Another Month of Bugs -- this time, ActiveX Published: 2007-05-03 Anyone wishing that the Month of Bugs phenomenon would fade away will be disappointed in May. A lone researcher has apparently compiled enough flaws in various ActiveX controls to release a bug <http://moaxb.blogspot.com/> every day for the month of May. Dubbing the effort the Month of ActiveX Bugs (MoAxB), the hacker -- who only identified himself by the name "shinnai" -- wrote, in broken English, that the effort was an attempt to educate people on the risks of ActiveX controls. "Most of them are simple DoS (denial-of-service vulnerabilities) -- don't worry there are also some code execution -- but that's because MoAxB has only a sense: to inform developers about the risk of using ActiveX controls," the researcher wrote <http://moaxb.blogspot.com/2007/04/month-of-activex-bug-announced.html> . ...
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- MoAxB - A month ain't long enough for ActiveX Richard M. Smith (May 03)
- <Possible follow-ups>
- Re: MoAxB - A month ain't long enough for ActiveX Fergie (May 03)