funsec mailing list archives
RE: ActiveX strikes yet again -- This time its Intuit
From: "Richard M. Smith" <rms () computerbytesman com>
Date: Fri, 7 Sep 2007 08:05:37 -0400
Let's also get rid of HTML, images, and CSS on Web pages. These features also are security risks. I think that plain ASCII text can be made safe. ;-) Richard -----Original Message----- From: Paul Ferguson [mailto:fergdawg () netzero net] Sent: Friday, September 07, 2007 1:13 AM To: juha-matti.laurio () netti fi Cc: funsec () linuxbox org; rms () computerbytesman com Subject: Re: [funsec] ActiveX strikes yet again -- This time its Intuit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Active content is evil. Period. Along those same lines is this: "NIST Issues New Computer Security Guidelines for Active Content" http://www.gcn.com/online/vol1_no1/44972-1.html My favorite quote: "Incorporating active content such as Java applets, JavaScript and other scripts, and macros can add to the functionality of documents, e-mails, Web pages and files in a wide variety of formats, but NIST calls their security vulnerabilities 'insidious'." Insidious indeed. - - ferg - -- Juha-Matti Laurio <juha-matti.laurio () netti fi> wrote: And probably not the last vendor - reported by this US-CERT team member: http://secunia.com/search/?search=Will+Dormann+activex&sort_by=date - - Juha-Matti rms () computerbytesman com wrote:
Seesh. Another big software vendor places a backdoor on their customers computers that the bad guys can use also. Richard http://www.kb.cert.org/vuls/id/979638 Intuit QuickBooks Online Edition is a version of QuickBooks that is implemented as an ActiveX control. This ActiveX control contains several dangerous methods, such as httpGETToFile() and httpPOSTFromFile(). These methods can be used to download or upload files
in arbitrary locations. -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFG4N3Hq1pz9mNUZTMRAq0RAJ9EEjEvQsT5sGs0oHjnchlZSePwKgCeIwKi QjcTdANzkWJV+99GdyzqzmY= =fEk0 -----END PGP SIGNATURE----- _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- ActiveX strikes yet again -- This time its Intuit rms (Sep 06)
- <Possible follow-ups>
- Re: ActiveX strikes yet again -- This time its Intuit Juha-Matti Laurio (Sep 06)
- Re: ActiveX strikes yet again -- This time its Intuit Paul Ferguson (Sep 06)
- RE: ActiveX strikes yet again -- This time its Intuit Richard M. Smith (Sep 07)
- RE: ActiveX strikes yet again -- This time its Intuit David Harley (Sep 07)
- RE: ActiveX strikes yet again -- This time its Intuit Drsolly (Sep 07)
- RE: ActiveX strikes yet again -- This time its Intuit Richard M. Smith (Sep 07)