lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <001d01c34110$249e9280$550ffea9@rms>
From: rms at computerbytesman.com (Richard M. Smith)
Subject: Software vendors just don't "get" ActiveX security

Hi,

Software vendors continue to not understand ActiveX security issues.  I
found a number of ActiveX controls on my laptop which are marked "safe
for scripting", but they are clearly not.  These controls contain
methods which can be used from a Web page to do things like run
programs, download files from Web sites to the local hard drive, provide
file system access, etc.

Here are some of the questionable controls:

1. TgLib.System from www.support.com.  This control plus
   related controls ship preinstalled on Sony laptops.  
   These same controls are probably shipped with other
   brands of computers also.

2. IPWorks.TFTP from www.nsoftware.com.  I'm not even
   sure where this control came from.  It's a TFTP
   server or client of some sort.

3. FtpTree control from www.ftpvoyager.com.  The control
   is installed with the FTP Voyager software which is 
   FTP client for Windows.

I notified all three vendors many months ago and there are some fixes
available, but to be honest, I don't remember the details.

Some background on ActiveX security:

 http://www.computerbytesman.com/acctroj/hp.htm
 http://www.cert.org/reports/activeX_report.pdf
 
http://www.fawcette.com/archives/premier/mgznarch/vbpj/1997/04apr97/opin
ion.pdf

Every Windows computer I've owned since 1998 has come preinstalled with
ActiveX controls which were mismarked as "safe for scripting".  I don't
see this problem getting solved.  There doesn't seem to be any mechanism
for educating software vendors about ActiveX security.  The same
mistakes are being made over and over again.  Perhaps ActiveX security
is just too difficult.

Richard M. Smith
http://www.ComputerBytesMan.com









Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ