Re: Active X exploit.

Frank Kargl (frank.kargl@RZ.UNI-ULM.DE)
Thu, 28 Aug 1997 11:36:14 +0200

Paul Leach wrote:
> The actual answer: the last time I bought a CD-ROM based package. Take a
> look at "autorun.inf" on a CD-ROM.

Who says that this autorun mechanism is any better than ActiveX. The only
difference is, that I usually buy a CD-ROM and if there's any harmful
software on it, I'm able to hold my dealer responsible for it (in first
instance). If I'm dowloading some piece of software from a Web-Server in
Argentina things get a little bit more complicated.

> ActiveX controls from a software vendor only automatically run if you
> have previously stated that you are willing to automatically run any
> signed code from that software vendor.

No one prevents a signed and otherwise harmless ActiveX to change the
security level of MIE so that later controls (even unsigned) can do
whatever they want to.

To state it clearly:
Signing is a method for authentication and NOT for security !

I think the problem with ActiveX is that Microsoft does it (as usual) the
easy way (ala "Why should we implement any security when most of our users
don't care for it anyway"). ActiveX has some kind of authentication but
not the slightest touch of security. Java on the other side is relativly
secure but suffered ('till the newer releases) from authentication. IMHO
it's up to microsoft to catch up and get their security fixed. No Press
Release can change the mind of anyone on this list.

Regards ... Frank

--
-----------------------------------------------------------------------
  Frank Kargl (aka Comram) Computing Center,University of Ulm,Germany
  Email:frank.kargl@rz.uni-ulm.de      http://www.uni-ulm.de/~fkargl/
-----------------------------------------------------------------------
   Jetzt auch mit IPv6 Email: fkargl@5f04:fb00:863c:0:1:800:207b:c521