| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3F5083D3.18635.A709CA8E@localhost> From: nick at virus-l.demon.co.uk (Nick FitzGerald) Subject: RIP: ActiveX controls in Internet Explorer? "Richard M. Smith" <rms@...puterbytesman.com> wrote: > As everyone knows, ActiveX controls and the <OBJECT> tag has been a big > source of security holes in Internet Explorer. ... And serious exposures in other browsers too. Remember, the folk writing most of these fancy plug-in doo-dad thingamies are largely clueless about "Internet security" and the ramifications of accepting arbitrary data, particularly if it is not produced by their own software at the "other end of the pipe". In fact, I'd not be surprised if, on average, they are much worse than MS but have managed to evade the spotlight due to the preponderance of attention several hundred million more potential targets buys MS... For just one chronically bad, equal-to-anything-ever-in-IE, example just look at the very recently disclosed RealOne Player, et al. bug (sorry, URL will wrap): http://www.digitalpranksters.com/advisories/realnetworks/smilscriptproto col.html > ... However, it looks like > support for ActiveX controls is going to be removed from Internet > Explorer. A small company called Eolas recently won a $521 million > judgment against Microsoft for patent infringement. The Eolas patent > covers plugins in Web pages to show multimedia content. Yes -- kinda nice result (and there I was thinking software patents were necessarily "all bad"... 8-) ). > The $521 million payment covers past infringement. Because Bill Gates > loathes to pay per-copy royalties, ... How ironic. Given that a large chunk of his personal fortune is due to the unethical and illegal "Windows tax"collected by his company for all those years (and still effectively being paid by many choosing not to run his company's OSes), and given his company's (legal department's) repeated statements about how much the company respects IP and depends on protecting its own IP, and given the clearly gross profiteering the company has engaged in to accumulate at least $49 billion cash reserves (sorry -- $48.479 billion now), you'd think shelling out a few cents per copy of Windows to show your respect for someone else's IP used liberally in a critical component of your OS (another irony -- the DoJ defense comes full circle to bite Bill's arse to the tune of $521 million) would be small beer... > ... it looks like Microsoft is going to > either partially or completely remove support for ActiveX controls in > Internet Explorer rather than pay Eolas any more money. Cool. Pity though that that other recent court ruling threatening to require MS to ship a true Java client didn't stick -- had it, MS would have had an easy solution _and_ an easy out for the total about-face of such a move. Combined these two rulings could have saved its sorry arse basically for free, aside from the loss of face... <<snip patent talk>> > The W3C has set up a discussion list to talk about replacements for > ActiveX in Internet Explorer: > > http://www.w3.org/2003/08/patent Fortunately the corruption of W3C's role apparent in your chosen wording (making W3C the driver of "standards" to cement IE as _the_ web browser) is not actually reflected in the content of that page! 8-) It seems they really are concerned that this patent will upset the whole applecart (or at least, a substantial chunk of the applecart developer market -- I doubt the folk behind Lynx are too concerned). That said however, several of the heavy-hitters in W3C potentially have a lot to lose if this patent has teeth and is applied to other browsers too -- dream of a web without SWF and all those other, lesser third- party abominations that so seriously detract from the original concept... Then consider the W3C's stated goals: http://www.w3.org/Consortium/#goals and in particular: 1. Universal Access: To make the Web accessible to all by promoting technologies that take into account the vast differences in culture, languages, education, ability, material resources, access devices, and physical limitations of users on all continents; > I hope that security people also join this list. This redesign of the > Internet Explorer browser looks like the perfect time to put pressure on > Microsoft to put in place a proper security system for browser add-ins. Indeed. Unfortunately, the page linked above is rather telling -- it does not mention the words "secure", "securely" or "security" once. Given this lofty ideal from: http://www.w3.org/Consortium/#mission ... To meet the growing expectations of users and the increasing power of machines, W3C is already laying the foundations for the next generation of the Web. W3C's technologies will help make the Web a robust, scalable, and adaptive infrastructure for a world of information. I'd say its about time the W3C addressed security issues head-on. Of course, how willing and able a standards body stacked with the commercial interests of its industry sector might be to completely revamping and correcting its previous errors is a good question... Given that it has, to date, apparently shown exceedingly scant regard for security issues giving us, for example, such miserable things (from a security perspective) as embedded, comprehensive scripting whose main development goal seems to be encouraging the wholesale deployment of the generally dodgy practice of self-modifying code, one must question whether it collectively has a single security clue. Of course, much of W3C's sad history in "WWW standards setting" has actually been the "standard" _catching up_ with what the (then) major players' browsers were already doing, rather than taking the trail-blazing role of proactive leadership, considering the greater collective good so suggestively embodied in the ideals of its mission statement. I'd rate its efforts to date "E-minus, could do _much_ better". But maybe I'm just too old and cynical and W3C actually can do something to improve (future) browser security... Regards, Nick FitzGerald
Powered by blists - more mailing lists