| || |
Join Date: Nov 2008
Re: How bad is ActiveX?
Originally Posted by Joachim
Ok - I've seen the various read alot about ActiveX on the Internet so I know that ActiveX is not run in a sandbox and it has the same level of access as the user. I know that you 'can' disable activeX or you can restrict it to signed controls only (although a signed control can still be malicious) and all these configuraiton options may have a negative effect on the users's Internet browsing experience. But I'm confused to see some reports of flaws in current ActiveX controls - sure the Control can be abused to take over the User's PC but if a malicious website wants to take over a user's PC why don't they use their own ActiveX control? Is it that the majority of companies do not allow ActiveX controls to be downloaded (they must all be installed by IT) Also are there practical limitations to what an activeX control can do? Can it send crafted network packets (such as to exploit the recent MS RPC vulnerability) or has it only got high level access to network commands? Is it relatively simple for an ActiveX control to be written to quietly get the browser to set up a remote control session from an external host or to get the ActiveX control to download files off the network. suggestions are welcome thanks in advance.
Because any vaguely sensible security policy would, at a minimum, require user confirmation, before installing them from the internet or untrusted zones (and should probably not allow unsigned ones at all).They can do anything that an ordinary .exe can do, when run by the user of the browser.I don't know the exact rules for Windows, but there are some network operations that require Administrator access on Unix. Note, as you implied an environment where user convenience was more important than security, it may well be that the users do have Administrator rights! Yes. (It is possible that some firewall products may detect this, and that some virus/spyware programs may also sense a risk.)Generally,there is a strong correlation between the ability to produce a "rich user experience" and the high security risks.