funsec mailing list archives

RE: ActiveX strikes yet again -- This time its Intuit

From: "Richard M. Smith" <rms () computerbytesman com>
Date: Fri, 7 Sep 2007 08:05:37 -0400

Let's also get rid of HTML, images, and CSS on Web pages.  These features
also are security risks.  I think that plain ASCII text can be made safe.
;-)

Richard 

-----Original Message-----
From: Paul Ferguson [mailto:fergdawg () netzero net] 
Sent: Friday, September 07, 2007 1:13 AM
To: juha-matti.laurio () netti fi
Cc: funsec () linuxbox org; rms () computerbytesman com
Subject: Re: [funsec] ActiveX strikes yet again -- This time its Intuit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Active content is evil. Period.

Along those same lines is this:

"NIST Issues New Computer Security Guidelines for Active Content"
http://www.gcn.com/online/vol1_no1/44972-1.html

My favorite quote:

"Incorporating active content such as Java applets, JavaScript and other
scripts, and macros can add to the functionality of documents, e-mails, Web
pages and files in a wide variety of formats, but NIST calls their security
vulnerabilities 'insidious'."

Insidious indeed.

- - ferg




- -- Juha-Matti Laurio <juha-matti.laurio () netti fi> wrote:

And probably not the last vendor - reported by this US-CERT team member:
http://secunia.com/search/?search=Will+Dormann+activex&sort_by=date

- - Juha-Matti

rms () computerbytesman com wrote:


Seesh.  Another big software vendor places a backdoor on their 
customers computers that the bad guys can use also.


Richard


http://www.kb.cert.org/vuls/id/979638


Intuit QuickBooks Online Edition is a version of QuickBooks that is 
implemented as an ActiveX control. This ActiveX control contains 
several dangerous methods, such as httpGETToFile() and 
httpPOSTFromFile(). These methods can be used to download or upload files

in arbitrary locations.

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.3 (Build 3017)

wj8DBQFG4N3Hq1pz9mNUZTMRAq0RAJ9EEjEvQsT5sGs0oHjnchlZSePwKgCeIwKi
QjcTdANzkWJV+99GdyzqzmY=
=fEk0
-----END PGP SIGNATURE-----





_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

ActiveX strikes yet again -- This time its Intuit rms (Sep 06)
- <Possible follow-ups>
- Re: ActiveX strikes yet again -- This time its Intuit Juha-Matti Laurio (Sep 06)
- Re: ActiveX strikes yet again -- This time its Intuit Paul Ferguson (Sep 06)
  - RE: ActiveX strikes yet again -- This time its Intuit Richard M. Smith (Sep 07)
    - RE: ActiveX strikes yet again -- This time its Intuit David Harley (Sep 07)
    - RE: ActiveX strikes yet again -- This time its Intuit Drsolly (Sep 07)