This is precisely the ActiveX exploit I predicted would happen. Who's
got a good ActiveX blocker proxy for a firewall?
>From RISKS:
> Date: Mon, 11 Nov 1996 23:49:03 -0500
> From: "Richard M. Smith" <rms @
pharlap .
com>
> Subject: Making good ActiveX controls do bad things
> Even more worrisome are ActiveX controls that contain methods (i.e.,
> function calls) that write files to disks. These methods can be used
> by a simple VBscript program to overwrite key system files like
> AUTOEXEC.BAT, CONFIG.SYS, REG.DAT etc. The damage is done simply by
> viewing an HTML page that contains the ActiveX control and the
> malicious VBScript code. I know of at least three commercially
> available ActiveX controls that have methods that will save files to
> disk. Any of these controls, I believe, can be exploited to build a
> disk crash HTML page. At least two of these controls have valid
> Authenticode digital signatures so that they can be automatically
> downloaded and executed even with the highest security settings in
> Internet Explorer 3.
|
|
