MoAxB - A month ain't long enough for ActiveX

["Richard M. Smith" <rms () computerbytesman com>]

FYI.  I actually think that a year plus is needed to list all of the
security and DoS bugs in ActiveX controls.
 
A few days ago, I reported a crash bug to the Microsoft security folks in
their newly release Silverlight ActiveX control (See
http://www.microsoft.com/silverlight/install.aspx).  I'm not sure if the bug
is exploitable or not.  Delivering a secure/DoS-free ActiveX control wirtten
in C/C++ on the first try appears to be an impossible task.....
 
Richard
 
  _____  

 
Web site:  http://moaxb.blogspot.com/
 
http://www.securityfocus.com/brief/495
 
Another Month of Bugs -- this time, ActiveX
Published: 2007-05-03


Anyone wishing that the Month of Bugs phenomenon would fade away will be
disappointed in May.

A lone researcher has apparently compiled enough flaws in various ActiveX
controls to release a bug  <http://moaxb.blogspot.com/> every day for the
month of May. Dubbing the effort the Month of ActiveX Bugs (MoAxB), the
hacker -- who only identified himself by the name "shinnai" -- wrote, in
broken English, that the effort was an attempt to educate people on the
risks of ActiveX controls.

"Most of them are simple DoS (denial-of-service vulnerabilities) -- don't
worry there are also some code execution -- but that's because MoAxB has
only a sense: to inform developers about the risk of using ActiveX
controls," the researcher wrote
<http://moaxb.blogspot.com/2007/04/month-of-activex-bug-announced.html> .

...

 

 

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.