Bugtraq mailing list archives

Re: Active X exploit.

From: dholland () EECS HARVARD EDU (David Holland)
Date: Wed, 27 Aug 1997 09:10:20 -0400

What ActiveX doesn't have is a sandbox. That's different than saying
that there's no security.

ActiveX controls are _signed_ DLLs. You run the code if you trust the
signer. If you do, you know that no one has tampered with the code since
the signer signed it.


Anyone who has followed this list for more than a month should realize
that code written with the best of intentions, and not tampered with,
is still routinely full of security holes.

On the other hand, I can send you an unsigned piece of code that does
exactly what it says it does and contains no security holes
whatsoever.

Authentication of code is an entirely different problem from security
of code.

That's more secure than what I buy at the store.


Not really.

--
   - David A. Holland             |    VINO project home page:
     dholland () eecs harvard edu    | http://www.eecs.harvard.edu/vino

Current thread:

Re: Active X exploit. Andreas Bogk (Aug 26)
- <Possible follow-ups>
- Re: Active X exploit. Paul Leach (Aug 26)
  - Re: Active X exploit. Casper Dik (Aug 27)
  - Re: Active X exploit. David Holland (Aug 27)
  - Re: Active X exploit. Alan Cox (Aug 27)
- Re: Active X exploit. Lutz Donnerhacke (Aug 27)
- Re: Active X exploit. Paul Leach (Aug 27)
- Re: Active X exploit. Erik Tornstam (Aug 28)
- Re: Active X exploit. Frank Kargl (Aug 28)