>Provided that this is not a false report, this seals ActiveX's fate in
my
>mind. I don't see any way by which I can, in good conscience, let this
>through my firewall.
Wait a second. Why should this exploit be treated any differently than
any other misconfiguration exploit? Why is the fact that someone
downloaded an application from an unknown untrusted vendor and found it
to be malicious a condemnation of ActiveX?
1. If the default IE implementation existed on the exploited machine,
they were informed of the company name who signed the certificate, and
were asked to confirm acceptance of the object. In which case, they
chose to trust an untrustworthy company, why is that the fault of
Activex?
2. If they previously had told IE to accept all signed certificates,
then they chose to leave their machine wide open, again, why is that
ActiveX's fault?
As we always say about Firewalls, if the user chooses to ignore or be
ignorant of the risks of the configuration their using, nothing can
protect them.
> Cheers,
> Russ
> R.C. Consulting, Inc. - NT/Internet Security Consulting
> "Why does Plug-n-Play so often turn into Unplug-n-Pay?"
Follow-Ups:
|
|
