Someone just asked me for more information on the Active-X security issues.
unfortunately my response bounced, and I don't have her address... but it
did help me summarise *my* problem with ActiveX nicely:
The basic issue I see is that with ActiveX you can have an applet "invisibly"
downloaded to your browser, along with some code that is interpreted by the
applet (usually fairly simple code, such as the name of a file or a message
to display, but sometimes complex data such as MIDI files).
Now what's say someone finds a security hole in an applet? Say, if you feed
it a message over 300 characters long it overwrites the stack and when the
function returns it starts executing the message as code. This isn't an
unlikely attack... it's how the Internet Worm spread, and it's a common
attack on today's software... and it's particularly nasty, because it
allows the attacker to do anything that the locally logged in user could.
If this sort of hole existed in a plugin, or a browser, you could upgrade
to a fixed version, or not use it. With an applet the broken version can
always be uploaded by an attacker and since it's signed by the key of the
original company... and the company can't revoke the key without having
to release a new version of ALL applets signed by that key, and then getting
Microsoft to release a new version of Explorer that doesn't have the old
key in it.
So instead of depending on one company to keep their package secure, if
you allow ActiveX applets in you're depending on *all* the companies that
write applets not having any bugs, and if there is one then it's a lot
harder to get it out there and fixed.
With Java, on the other hand, you're dependent on the security of the sandbox,
but there's one company doing the sandbox and they're in a position to get
fixes out very quickly (in fact, Netscape contacts home.netscape.com on
startup by default!).
I'm not happy with the implementation of Java's sandbox... there are safer
ways to build one... it's so much safer than ActiveX that there's no contest
in my mind which way to go.
And there's really no justification for ActiveX. Anything that Java can't do
that's important enough to open up a potential security hole can be done with
an explicitly downloaded plugin... and the act of downloading it massively
reduces the window of opportunity for an attacker, since plugins are
typically taken from well known central sites rather than blindly slurped
up from whatever hacker's nest you might have clicked through to.