Firewalls: RE: ActiveX and RISKS

Firewalls
(November 1996)

Indexed By Thread: [Previous] [Next]

Subject:	RE: ActiveX and RISKS
From:	Russ <Russ . Cooper @ RC . on . ca>
Date:	Mon, 18 Nov 1996 19:11:41 -0500
To:	"'Todd Graham Lewis'" <lists @ reflections . mindspring . com>
Cc:	"'Firewalls Mailing List'" <firewalls @ GreatCircle . COM>

I don't want to interrupt you boys playing, but I thought I'd just
point out what may have been obvious already, namely that Trend Micro
isn't owned by Microsoft, and the fact that their ActiveX product is
available on the MS Proxy Server is probably purely a marketing thing.
Since Trend make products for a wide variety of Unixens, I'd certainly
expect them to announce the availability on other platforms in the near
future. MS Proxy server probably just made an easy platform to build
their proxy on, but who knows (maybe some non-marketing person at Trend
Micro could pipe up and tell us what made you do that? You know, say
something like "well, since the MS Proxy Server is the best Proxy
Server ever made, we figured we'd ride its coat-tails to
success"...no?...;-]).
*
Don't think I'm missing the dry wit in your message, but anyone could
have written a malicious NetScape plug-in if they wanted to and it
would have had a far greater impact than any ActiveX object in today's
browser arena, after all, a plug-in has as much control over your
Windows box as an ActiveX object has. And please don't tell me that you
have to install a plug-in vs. automatically receiving an ActiveX
object, there are so many more implementations of Netscape out there
surely there would be at least as many Netscape users who would have
installed the malicious plug-in as ActiveX users who would have crossed
a malicious ActiveX page. Besides, you can't control the installation
of Netscape plug-ins any better than you can control the installation
of ActiveX objects. Of course, the fact that ActiveX objects "today"
are only risking Windows machines (the machines with Microsoft's
operating system), means their only shooting themselves in the foot,
not all the people running Unix, aren't they?
*
Given that the MS Proxy Server doesn't have an SMTP proxy yet means
people are probably not going to beat down Trend's door trying to get
the MS Proxy implementation of their ActiveX blocker. They may be able
to ride the hype surrounding its release (hype? what hype?), but they
would have done far better to release the thing on some flavor of Unix
so it could be used in a "real" Proxy Server environment.
*
Cheers,
Russ
R.C. Consulting, Inc. - NT/Internet Security Consulting
mailto:Russ .
 Cooper @
 RC .
 on .
 ca <-- *note the new address*

Follow-Ups:

Re: ActiveX and RISKS
From: peter @ baileynm . com (Peter da Silva)

Indexed By Date	Previous:	FW-1 for NT - Log problems ??? From: Abel de Andrade Junior <abel @ sulamerica . com . br>
Indexed By Date	Next:	Re: name "Firewall" From: Jim Geuin <jgeuin @ ix . netcom . com>
Indexed By Thread	Previous:	Re: ActiveX and RISKS From: Benedikt Stockebrand <benedikt @ devnull . ruhr . de>
Indexed By Thread	Next:	Re: ActiveX and RISKS From: peter @ baileynm . com (Peter da Silva)