Re: OT: Gone from topic, now on security Re: For PGP Users-Likes and Dislikes of PGP

David Wagner wrote:
Joseph Ashwood wrote:
Going back to the same earlier argument, is Sony's rootkit uninstaller an issue with Microsoft? It is not, but that is exactly what you are claiming (the uninstaller was an ActiveX control, so it is precisely within this).

I don't know enough about Sony's rootkit uninstaller.
Here are the assumptions I'll make about it:
- Sony's ActiveX control contained a vulnerability that could
be exploited;

Yes. The ActiveX control was capable of downloading and installing arbitrary software, and it did nothing to confirm that the arbitrary software it was downloading was from Sony or Sony's DRM vendor. It would happily retrieve from www.malwarez.ru.

- If you visited a malicious web page with MSIE, the malicious web
page could download Sony's ActiveX control, execute it, and exploit
its vulnerability;

Not quite. The (initial version of the) DRM/rootkit uninstaller required that the ActiveX control in question be downloaded and installed. And the uninstaller left the ActiveX control installed after it was done, where it could be invoked by web pages from any web site.

- If you read a malicious email with Outlook Express, the same is true.
If these assumptions are wrong, let me know. Otherwise, I'll proceed
with my analysis under these assumptions.

I don't know myself if it was invocable from e-mail, but if OE treats e-mail message HTML like IE treats HTML from a web site, then the ActiveX control could be invoked by e-mailed HTML.

--Mike Amling
.

Relevant Pages

  • Re: Where am i being downloaded from ?
    ... > component know from which website is it being downloading from? ... > how can i pass values from html page to the component, ... > html pages to give different values to the activeX control from ...
    (microsoft.public.vc.atl)
  • Re: Remove programs with a script?
    ... You just have to find said uninstaller and the command line options. ... the string is usually a command line option i.e. ... Mozilla ActiveX Control v1.7.12 ...
    (microsoft.public.scripting.wsh)
  • Re: Question on ports and Remote Desktop web access
    ... original reference, and it works. ... >> still not install from my host computer. ... >> BTW, now that the ActiveX control is installed on one of my computers, ... I've already tried manually downloading and installing ...
    (microsoft.public.windowsxp.work_remotely)
  • Re: safe activeX
    ... If you are writing the ActiveX control yourself, then you can mark it as ... You can still do the creation of the HTML file from within your ... To avoid un-necessary security hassles, it is better to use an ASP page, ... > certificate myself. ...
    (microsoft.public.inetserver.iis.security)
  • Re: trying to access training for microsoft office, many links but ca.
    ... Do you have the ActiveX control? ... Go to the Training web site and click help, read the section about "Downloading ... Have basic knowlege of some applications but need to ...
    (microsoft.public.office.misc)