| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: rms at computerbytesman.com (Richard M. Smith) Subject: Software vendors just don't "get" ActiveX security Hi, Software vendors continue to not understand ActiveX security issues. I found a number of ActiveX controls on my laptop which are marked "safe for scripting", but they are clearly not. These controls contain methods which can be used from a Web page to do things like run programs, download files from Web sites to the local hard drive, provide file system access, etc. Here are some of the questionable controls: 1. TgLib.System from www.support.com. This control plus related controls ship preinstalled on Sony laptops. These same controls are probably shipped with other brands of computers also. 2. IPWorks.TFTP from www.nsoftware.com. I'm not even sure where this control came from. It's a TFTP server or client of some sort. 3. FtpTree control from www.ftpvoyager.com. The control is installed with the FTP Voyager software which is FTP client for Windows. I notified all three vendors many months ago and there are some fixes available, but to be honest, I don't remember the details. Some background on ActiveX security: http://www.computerbytesman.com/acctroj/hp.htm http://www.cert.org/reports/activeX_report.pdf http://www.fawcette.com/archives/premier/mgznarch/vbpj/1997/04apr97/opin ion.pdf Every Windows computer I've owned since 1998 has come preinstalled with ActiveX controls which were mismarked as "safe for scripting". I don't see this problem getting solved. There doesn't seem to be any mechanism for educating software vendors about ActiveX security. The same mistakes are being made over and over again. Perhaps ActiveX security is just too difficult. Richard M. Smith http://www.ComputerBytesMan.com
Powered by blists - more mailing lists