Previously written
----------------------------------------------------------------------------
--
>Provided that this is not a false report, this seals ActiveX's fate in
my
>mind. I don't see any way by which I can, in good conscience, let this
>through my firewall.
Wait a second. Why should this exploit be treated any differently than
any other misconfiguration exploit? Why is the fact that someone
downloaded an application from an unknown untrusted vendor and found it
to be malicious a condemnation of ActiveX?
1. If the default IE implementation existed on the exploited machine,
they were informed of the company name who signed the certificate, and
were asked to confirm acceptance of the object. In which case, they
chose to trust an untrustworthy company, why is that the fault of
Activex?
2. If they previously had told IE to accept all signed certificates,
then they chose to leave their machine wide open, again, why is that
ActiveX's fault?
-------- I add:
Item 1:
I don't see anything in IE for Windows 3.1 where one can choose vendors. I
can warn on invalid certificates and I can change the list of places where
the certificate was issues from. This implies that any vendor registered in
one of the sites can write an ActiveX component and be valid; including
vendors which I may not want to accept components from.
I've never been asked if I wanted to receive components from Microsoft so
this implies that you don't get asked when you are about to receive a
component from a company for the first time if they are properly registered.
This assumes, of course, that Microsoft is properly registered- I don't
have visibility into the registration list.
Incidentally, I used Microsoft in the above example since that is a company
that I know I've received components from. I have no idea if any other
company has managed to send me components; I haven't found a way that I can
tell.
Item 2:
ActiveX components have the same characteristics of a virus. They are code
which is delivered from the outside, frequently without knowledge, which can
affect the long-term characteristics of the host system or other systems
and/or pass information back which may be considered proprietary or
sensitive. From what I can tell, there is no effort to control (limit) what
an ActiveX component can do; the indications that I see are just the
opposite. In some ways, ActiveX is an attempt to legitimize virus-like
features. It seems strange to me that the same people who have problems with
accepting diskettes from places (especially without running them through
virus programs) have no issue with executing components downloaded across
the Internet and running those components in an environment where the same
activities would be accepted as normal.
Question:
Would it be possible to write a component which would attach itself to a
page a PC based web server and the propagate itself from there? If properly
crafted, would it use its original certificate or would that no longer be
valid; that is, what are the rules when components get reused (referenced in
another web site)?
william .
wells @
damark .
com
Manager, Systems Administration/Internet
Damark International, Inc
The opinions and comments are mine.
|
|
