Re: activex questions
From: Ron Ruble (raffles2@att.net)
Date: 04/11/03
- Next message: Ron Ruble: "Re: The gambler's fallacy: getting back to even"
- Previous message: Condor Chef: "Re: Coping with predatory business and evil in life?"
- In reply to: JoshB: "Re: activex questions"
- Next in thread: JoshB: "Re: activex questions"
- Reply: JoshB: "Re: activex questions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Ron Ruble" <raffles2@att.net> Date: Fri, 11 Apr 2003 12:03:15 -0400
"JoshB" <metrix007@yahoo.com> wrote in message news:c52a4e65.0304110512.2668b6f1@posting.google.com...
> mtubi@python.net (sponge) wrote in message news:<3e963f9b.6519693@news.rcn.com>...
> > On 10 Apr 2003 07:22:30 -0700, metrix007@yahoo.com (JoshB) wrote:
<snip>
> > >What exactly is activex scripting capable of, I notice it is suggested
> > >to enable it, and it is enabled by default.
> >
> > Anything and everything any other application is capable of. There is
> > no sandbox with ActiveX, so there are no security features.
> >
> No, i did not mean activex, I meant activex scripting, they appear to
> be different things. activex controls are by defult prompted, activex
> script is not.
Not exactly. ActiveX controls need to be referenced by
scripts on the web page, in order to run. They are installed
on the local machine.
You can select "prompt before download", which prevents
malicious ActiveX controls from being downloaded without
your permission. It does nothing whatever to prevent a
script from running an existing ActiveX control already
installed on your system, such as Macromedia Flash>
You can select "prompt before running ActiveX controls",
but most people don't. Flash is so prevalent, and there are
a number of other prevalent controls, that the constant
prompting is annoying. Most people wither enable ActiveX
to run everywhere or disable it everywhere. A minority of
people use customized security zones and third-party
utilities to control this prompting.
> > >ACtivex has complete control of target system?
> >
> > Yes.
> but without user interaction? without exploiting a vulnerability? by
> default ie is set to prompt.
> however activex script is able to run without prompting by default.
Again, the default is to prompt _only before download_,
not to prompt before running. They can run without a
prompt, as long as they are aloready downloaded.
> > >Are there any examples of pages that can automaticly run code, install
> > >spyware etc without user interaction, and without taking advantaged of
> > >vulnerabilities?
> >
> > The site just mentioned will be loaded with examples. Even Yahoo uses
> > this installation method for their "browser toolbar", although at
> > least they don't put it on their front page.
>
> I have not found one that installs without user interaction yet. I
> will continue to look.
Again, you're confusing running and installing. Once the
ActiveX control is installed, the control itself can download
and install other software, without user interaction.
This is why MS set up code signing in ActiveX controls.
This doesn't stop mlicious code from running; it just lets
you verify where the control came from, and that _someone_
there _believes_ the control is safe.
Many times people who signed an ActiveX control as "safe
for scripting" were very, very wrong -- Microsoft included.
> Where I could find more info on the above? What you are saying, is
> even if i set activex prompting for verything, then someone can spoof
> micrososfts signitture and install without prompting?
If you have enabled download automatically from Microsoft
Trusted Sites, yes.
> Agreed, I myself use phoenix, however was looking for more info on
> exactly what is possible through ie/activex without any user
> interaction.
It's always difficult to say. The main thing is, once the ActiveX
component is downloaded and run, it can do _anything_; there
are no restrictions whatsoever.
Java, by contrast runs in a sandbox. There are things Java
programs are prohibited from doing when they run. There
is _nothing_ ActiveX controls are prohibited from doing
once they run. They can only be flagged as safe or not-safe,
and this determination is by the guy who wrote it. If he
lied, tough; if he was mistaken, tough.
- Next message: Ron Ruble: "Re: The gambler's fallacy: getting back to even"
- Previous message: Condor Chef: "Re: Coping with predatory business and evil in life?"
- In reply to: JoshB: "Re: activex questions"
- Next in thread: JoshB: "Re: activex questions"
- Reply: JoshB: "Re: activex questions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
