Russ wrote:
| 1. If the default IE implementation existed on the exploited machine,
| they were informed of the company name who signed the certificate, and
| were asked to confirm acceptance of the object. In which case, they
| chose to trust an untrustworthy company, why is that the fault of
| Activex?
|
| 2. If they previously had told IE to accept all signed certificates,
| then they chose to leave their machine wide open, again, why is that
| ActiveX's fault?
Lets say that the user is in class one, and makes a mistake.
They've could have just accepted a malicious applet that
changes their IE config into class two. Or perhaps it adds a trusted
CA. (Or perhaps the attack is two pronged; the malicious code that
changes the config file is a word virus.) There are subtle attacks.
ActiveX is bad technology because it does not offer mechanisms for an
organizations security officer to control what is happening in any
way other than turning it off.
Adam
--
Pet peeve of the day: Security companies whose protocols dare not
speak their name. Guilty company of the day is Security Dynamics.
Follow-Ups:
|
|
