Re: Active X exploit.

Paul Leach (paulle@MICROSOFT.COM)
Tue, 26 Aug 1997 16:55:47 -0700

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Theo de Raadt: "Re: Serious security flaw in rpc.mountd on several operating systems."
Previous message: Darren Reed: "Re: Backdoor Paper"
Maybe in reply to: Peter Shipley: "Active X exploit."
Next in thread: Lutz Donnerhacke: "Re: Active X exploit."

What ActiveX doesn't have is a sandbox. That's different than saying
that there's no security.

ActiveX controls are _signed_ DLLs. You run the code if you trust the
signer. If you do, you know that no one has tampered with the code since
the signer signed it.

That's more secure than what I buy at the store.

> ----------
> From: Andreas Bogk[SMTP:andreas@ARTCOM.DE]
> Reply To: Andreas Bogk
> Sent: Tuesday, August 26, 1997 3:40 PM
> To: BUGTRAQ@NETSPACE.ORG
> Subject: Re: Active X exploit.
>
> >>>>> "Peter" == Peter Shipley <shipley@DIS.ORG> writes:
>
> Peter> There is a new expliot for active X
> Peter> http://www.network-security.com/activex/
>
> This exploit is not new, a similiar program has been around on
>
> http://www.thur.de/home/steffen/activex/index_e.html
>
> since march. And the principle is the same on all ActiveX
> exploits. There simply is no security, ActiveX controls are simple
> DLLs.
>
> Andreas
>
> --
> Never underestimate the value of fprintf() for debugging purposes.
>

Next message: Theo de Raadt: "Re: Serious security flaw in rpc.mountd on several operating systems."
Previous message: Darren Reed: "Re: Backdoor Paper"
Maybe in reply to: Peter Shipley: "Active X exploit."
Next in thread: Lutz Donnerhacke: "Re: Active X exploit."