Date: Sun, 09 Feb 1997 10:34:18 +0000 From: Joe Meadows Subject: More on the risks of ActiveX While the security community has fully recognized the risk of accepting controls from untrusted sources, it seems to have completely ignored a secondary risk of an existing control being subverted in unexpected ways. Perhaps all of the controls that come with MSIE are perfectly safe, and can't be subverted in any way (no buffer overflows, no mistakes), but it seems highly unlikely that _all_ controls are written so perfectly. Since one is basically giving away control of ones desktop to a web author by enabling ActiveX within a browser, many companies are avoiding the technology like the plague. Filtering it out at ones firewall is hardly effective, unless one were to parse through every HTML page and automatically remove the components that drive ActiveX (i.e. VBscript, the Object tag, etc). Not allowing ActiveX to be enabled in a web browser would seem to be a minimum requirement, not allowing browsers that support ActiveX would seem to be even better (and easier for a firewall implementation to handle - if the firewall sees that the user agent supports it, it could refuse to service it). Until the vendor gives us more control over when/how a control gets _used_ (not just control over when they get downloaded), I'll personally avoid the technology. I hope Dan Wallach's supposition that the vendors are working on it is true, but if they are, they're keeping awfully quiet about it (refusing to acknowledge that there even _is_ a problem). Of course, that's nothing new. "Full disclosure" of security bugs has done more for improving security in the last few years than 20 years of discussion about "risks" has done (not to belittle the work done by the readers of _this_ mailing list/newsgroup, I just wish vendors would recognize that todays risks are tomorrows exploits). Joe Meadows [as always, usual disclaimers in risks.info apply]