WebApp Sec mailing list archives

Re: ActiveX controls within an Intranet Environment

From: GuidoZ <uberguidoz () gmail com>
Date: Fri, 26 Nov 2004 17:49:08 -0800

Hello Marian! I was under the same situation before. One of the
companies I was supporting used a proprietary ActiveX control to
handle some of their business. Unfortunately, this made weaning them
off of IE next to impossible. ActiveX in itself is inherentely
insecure and should be avoided when possible, IMHO.

Eventually I was able to have them move to a Java based solution
instead which helepd with security AND allowed cross browser/platform
capability. Was wonderful news when it was finally implemented and
everythign was working.

I never tried to do any real studies on the actual risks involved with
that particular app, although most are aware of the risks associated
with ActiveX as a whole. Just link Windows, it wasn't designed with
security in mind, but with functionality instead. Doing some quick
Google searches on "activex risks" or "activex security" should reveal
a plethora of resources and information on the topic.

--
Peac.e ~G


On Fri, 26 Nov 2004 13:48:57 +1300, Marian Fitzgerald
<marian.fitzgerald012 () msd govt nz> wrote:

Hello all,

I am carrying out a risk assessment on an application that we are
looking to deploy internally - however there is a dependency on ActiveX
by the app. I am constantly receiving security updates on the
vulnerabilities associated with using ActiveX but would like to be able
to quantify the risks appropriately. Could you offer any input on this?

Thank you
Marian

 -------------------------------
 This email message and any attachment(s) is intended only for the
 person(s) or entity(entities) to whom it is addressed. The
 information it contains may be classified as IN CONFIDENCE and may be
 legally privileged. If you are not the intended recipient any use,
 disclosure or copying of the message or attachment(s) is strictly
 prohibited. If you have received this message in error please
 notify us immediately and destroy it and any attachment(s).
 Thank you. The Ministry of Social Development accepts no
 responsibility for changes made to this message or to any
 attachment(s) after transmission from the Ministry.
 -------------------------------

Current thread:

ActiveX controls within an Intranet Environment Marian Fitzgerald (Nov 27)
- Re: ActiveX controls within an Intranet Environment GuidoZ (Nov 27)