[2618] in WWW Security List Archive
RE: ActiveX security hole reported.
daemon@ATHENA.MIT.EDU (John Lehmann (SSASyd))
Thu Aug 15 06:22:26 1996
From: "John Lehmann (SSASyd)" <LEHMANNJ@saatchi.com.au>
To: "'www-security'" <www-security@ns2.rutgers.edu>
Date: Thu, 15 Aug 96 17:34:00 S
Errors-To: owner-www-security@ns2.rutgers.edu
Apart from the fact that I a dedicated anti-ms person (for moral reasons
:) I was going to make a comment along these lines... ActiveX seems
designed to be used on an intranet or somesuch where the security
controls imposed by most plug-ins becomes oppressive... or be used to run
software written by trusted/reputable companies (sorry, are there any
trusted large software companies?)... enter the age of disposable
programming
As a class of software designed to run on a single platform of machines
in an internal network, discussion of ActiveX is perhaps off-thread for
the www-newsgroup ;)
Unless anyone knows anything about the keys that pieces of ActiveX are
signed with... can they be forged... who can give out signatures... can
the web-servers of trusted hosts be broken into and the trusted bits of
software replaced with wooden horses...?
----------
From: owner-www-security[SMTP:owner-www-security@ns2.rutgers.edu]
Sent: Wednesday, 14 August, 1996 11:27 AM
To: Stephen Cobb
Cc: trei; www-security
Subject: Re: ActiveX security hole reported.
On Tue, 13 Aug 1996 17:57:52 -0400, stephen@iu.net wrote:
>>Some guy has written an ActiveX control which crashes windoze95... I
don't
>>use windoze so can't try it, but if someone else is brave, I'd love to
know
>>if it works...
>>
>
>Yes, it works, turns off the machine...quite impressive.
Which part do people find the most impressive? -
that the Win95 shutdown API works as documented
or that all these security experts are downloading and running
software designed to do something they don't want?
How does this control differ from an HTML page that tells
readers to turn the power switch off?
- G.
