>Provided that this is not a false report, this seals ActiveX's fate in
>mind. I don't see any way by which I can, in good conscience, let this
>through my firewall.
Wait a second. Why should this exploit be treated any differently than
any other misconfiguration exploit? Why is the fact that someone
downloaded an application from an unknown untrusted vendor and found it
to be malicious a condemnation of ActiveX?
1. If the default IE implementation existed on the exploited machine,
they were informed of the company name who signed the certificate, and
were asked to confirm acceptance of the object. In which case, they
chose to trust an untrustworthy company, why is that the fault of
2. If they previously had told IE to accept all signed certificates,
then they chose to leave their machine wide open, again, why is that
As we always say about Firewalls, if the user chooses to ignore or be
ignorant of the risks of the configuration their using, nothing can
> R.C. Consulting, Inc. - NT/Internet Security Consulting
> "Why does Plug-n-Play so often turn into Unplug-n-Pay?"