Re: [Full-Disclosure] RIP: ActiveX controls in Internet Explorer?

• Previous message: Chris DeVoney: "[Full-Disclosure] Authorities eye MSBlaster suspect (long reply)"
• In reply to: Richard M. Smith: "[Full-Disclosure] RIP: ActiveX controls in Internet Explorer?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: full-disclosure@lists.netsys.com
Date: Sat, 30 Aug 2003 11:00:35 +1200

"Richard M. Smith" <rms@computerbytesman.com> wrote:

> As everyone knows, ActiveX controls and the <OBJECT> tag has been a big
> source of security holes in Internet Explorer. ...

And serious exposures in other browsers too.

Remember, the folk writing most of these fancy plug-in doo-dad
thingamies are largely clueless about "Internet security" and the
ramifications of accepting arbitrary data, particularly if it is not
produced by their own software at the "other end of the pipe". In
fact, I'd not be surprised if, on average, they are much worse than MS
but have managed to evade the spotlight due to the preponderance of
attention several hundred million more potential targets buys MS...
For just one chronically bad, equal-to-anything-ever-in-IE, example
just look at the very recently disclosed RealOne Player, et al. bug
(sorry, URL will wrap):

http://www.digitalpranksters.com/advisories/realnetworks/smilscriptproto
col.html

> ... However, it looks like
> support for ActiveX controls is going to be removed from Internet
> Explorer. A small company called Eolas recently won a $521 million
> judgment against Microsoft for patent infringement. The Eolas patent
> covers plugins in Web pages to show multimedia content.

Yes -- kinda nice result (and there I was thinking software patents
were necessarily "all bad"... 8-) ).

> The $521 million payment covers past infringement. Because Bill Gates
> loathes to pay per-copy royalties, ...

How ironic. Given that a large chunk of his personal fortune is due to
the unethical and illegal "Windows tax"collected by his company for all
those years (and still effectively being paid by many choosing not to
run his company's OSes), and given his company's (legal department's)
repeated statements about how much the company respects IP and depends
on protecting its own IP, and given the clearly gross profiteering the
company has engaged in to accumulate at least $49 billion cash reserves
(sorry -- $48.479 billion now), you'd think shelling out a few cents
per copy of Windows to show your respect for someone else's IP used
liberally in a critical component of your OS (another irony -- the DoJ
defense comes full circle to bite Bill's arse to the tune of $521
million) would be small beer...

> ... it looks like Microsoft is going to
> either partially or completely remove support for ActiveX controls in
> Internet Explorer rather than pay Eolas any more money.

Cool.

Pity though that that other recent court ruling threatening to require
MS to ship a true Java client didn't stick -- had it, MS would have had
an easy solution _and_ an easy out for the total about-face of such a
move. Combined these two rulings could have saved its sorry arse
basically for free, aside from the loss of face...

<<snip patent talk>>
> The W3C has set up a discussion list to talk about replacements for
> ActiveX in Internet Explorer:
>
> http://www.w3.org/2003/08/patent

Fortunately the corruption of W3C's role apparent in your chosen
wording (making W3C the driver of "standards" to cement IE as _the_ web
browser) is not actually reflected in the content of that page! 8-)

It seems they really are concerned that this patent will upset the
whole applecart (or at least, a substantial chunk of the applecart
developer market -- I doubt the folk behind Lynx are too concerned).
That said however, several of the heavy-hitters in W3C potentially have
a lot to lose if this patent has teeth and is applied to other browsers
too -- dream of a web without SWF and all those other, lesser third-
party abominations that so seriously detract from the original
concept... Then consider the W3C's stated goals:

   http://www.w3.org/Consortium/#goals

and in particular:

   1. Universal Access: To make the Web accessible to all by promoting
   technologies that take into account the vast differences in culture,
   languages, education, ability, material resources, access devices,
   and physical limitations of users on all continents;

> I hope that security people also join this list. This redesign of the
> Internet Explorer browser looks like the perfect time to put pressure on
> Microsoft to put in place a proper security system for browser add-ins.

Indeed.

Unfortunately, the page linked above is rather telling -- it does not
mention the words "secure", "securely" or "security" once. Given this
lofty ideal from:

   http://www.w3.org/Consortium/#mission

   ... To meet the growing expectations of users and the increasing
   power of machines, W3C is already laying the foundations for the
   next generation of the Web. W3C's technologies will help make the
   Web a robust, scalable, and adaptive infrastructure for a world of
   information.

I'd say its about time the W3C addressed security issues head-on. Of
course, how willing and able a standards body stacked with the
commercial interests of its industry sector might be to completely
revamping and correcting its previous errors is a good question...

Given that it has, to date, apparently shown exceedingly scant regard
for security issues giving us, for example, such miserable things (from
a security perspective) as embedded, comprehensive scripting whose main
development goal seems to be encouraging the wholesale deployment of
the generally dodgy practice of self-modifying code, one must question
whether it collectively has a single security clue. Of course, much of
W3C's sad history in "WWW standards setting" has actually been the
"standard" _catching up_ with what the (then) major players' browsers
were already doing, rather than taking the trail-blazing role of
proactive leadership, considering the greater collective good so
suggestively embodied in the ideals of its mission statement.

I'd rate its efforts to date "E-minus, could do _much_ better".

But maybe I'm just too old and cynical and W3C actually can do
something to improve (future) browser security...

Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Previous message: Chris DeVoney: "[Full-Disclosure] Authorities eye MSBlaster suspect (long reply)"
• In reply to: Richard M. Smith: "[Full-Disclosure] RIP: ActiveX controls in Internet Explorer?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]