Bugtraq mailing list archives

Re: Active X exploit.

From: lutz () TARANIS IKS-JENA DE (Lutz Donnerhacke)
Date: Wed, 27 Aug 1997 08:12:42 GMT


* Paul Leach wrote:

What ActiveX doesn't have is a sandbox. That's different than saying
that there's no security.

ActiveX controls are _signed_ DLLs. You run the code if you trust the
signer. If you do, you know that no one has tampered with the code since
the signer signed it.

That's more secure than what I buy at the store.


Nope. Trust and Security are very different. Imagine programming errors in
controls from trustworthy programmers. (Shockwave example)

Furthermore:
  - It's easy the get a certificate for $20 per year.
  - Any CA trying to offer authenticode certificates is required to obtain
    a special agreement from Microsoft.
  - If you programm some thing malicious, the CA will revoke the certificate
    due to request from Microsoft (see above)
  - If any control damages your system, you can sue the author as long as
    the certificate is not revoked. So current practice results in helpless
    customers unable to sue anybody for the damage.
  - The current implementation of MSIE offers:
      + low     (accept anything without any question)
      + medium  (ask on uncertified controls, accept any certified)
      + high    (ask on any certified control, deny uncrtified)
    Furthermore every control is accepted withour any question, if:
      + the control was installed from any user on this system before
        (i.e. a malicious control is executed by the administrator,
         if any user accepted it before)
      + it is signed by a author the user trusts completely
      + it is signed by a author offering a certificate the user trusts
        completely (at the moment: if you trust Verisign, you trust everybody)
      + it is signed by a commercial company (denoted by a flag in the
        certificate independend from the certification authority ...)
    You are not able to distrust a company. If you try to do not trust
    Microsoft (i.e.), you will run into the problem to deny authenticode
    requests every two seconds while working at www.microsoft.com. This
    results from the fact, that denied requests are not stored.
    In consequence every user of MSIE has set the security level to low
    or medium or accepted some controls by accident.

Current thread:

Re: Active X exploit. Andreas Bogk (Aug 26)
- <Possible follow-ups>
- Re: Active X exploit. Paul Leach (Aug 26)
  - Re: Active X exploit. Casper Dik (Aug 27)
  - Re: Active X exploit. David Holland (Aug 27)
  - Re: Active X exploit. Alan Cox (Aug 27)
- Re: Active X exploit. Lutz Donnerhacke (Aug 27)
- Re: Active X exploit. Paul Leach (Aug 27)
- Re: Active X exploit. Erik Tornstam (Aug 28)
- Re: Active X exploit. Frank Kargl (Aug 28)