ActiveX implants in Internet web pages can be filtered out based on the
certificate exchange or whatever.
The ability for code to be downloaded to a Windows machine, invoked, and
have itself dynamically bound into the users OLE environment, cannot.
ActiveX has been here for a long, long, time, its only been webbified
and made simpler to implement. IE adds the authenticode stuff that
doesn't exist if IE isn't being used. ActiveX isn't Authenticode, its
network OLE. Turning off network OLE is next to impossible, all you can
do is filter out the signed objects coming through your Firewall (or
proxy, or whatever).
This constant commentary that ActiveX = Web Applets is what I'm trying
to clarify, ActiveX = Network OLE = (Web Applets, local Applets, LAN
Applets, Intranet Applets, virtually all new Windows Applications,
etc...).
So yes, plug it up today, that's what I recommend anyway, but What we
really need are new/improved desktop security products, not more filters
for Firewalls.
Cheers,
Russ
R.C. Consulting, Inc. - NT/Internet Security Consulting
"Why does Plug-n-Play so often turn into Unplug-n-Pay?"
Follow-Ups:
|
|
