[<prev] [next>] [day] [month] [year] [list]
Message-ID: <001d01c34110$249e9280$550ffea9@rms>
From: rms at computerbytesman.com (Richard M. Smith)
Subject: Software vendors just don't "get" ActiveX security
Hi,
Software vendors continue to not understand ActiveX security issues. I
found a number of ActiveX controls on my laptop which are marked "safe
for scripting", but they are clearly not. These controls contain
methods which can be used from a Web page to do things like run
programs, download files from Web sites to the local hard drive, provide
file system access, etc.
Here are some of the questionable controls:
1. TgLib.System from www.support.com. This control plus
related controls ship preinstalled on Sony laptops.
These same controls are probably shipped with other
brands of computers also.
2. IPWorks.TFTP from www.nsoftware.com. I'm not even
sure where this control came from. It's a TFTP
server or client of some sort.
3. FtpTree control from www.ftpvoyager.com. The control
is installed with the FTP Voyager software which is
FTP client for Windows.
I notified all three vendors many months ago and there are some fixes
available, but to be honest, I don't remember the details.
Some background on ActiveX security:
http://www.computerbytesman.com/acctroj/hp.htm
http://www.cert.org/reports/activeX_report.pdf
http://www.fawcette.com/archives/premier/mgznarch/vbpj/1997/04apr97/opin
ion.pdf
Every Windows computer I've owned since 1998 has come preinstalled with
ActiveX controls which were mismarked as "safe for scripting". I don't
see this problem getting solved. There doesn't seem to be any mechanism
for educating software vendors about ActiveX security. The same
mistakes are being made over and over again. Perhaps ActiveX security
is just too difficult.
Richard M. Smith
http://www.ComputerBytesMan.com
Powered by blists - more mailing lists