[2646] in WWW Security List Archive
Re: ActiveX security hole reported.
daemon@ATHENA.MIT.EDU (Albert Lunde)
Fri Aug 16 12:22:24 1996
To: srw134@email.psu.edu (Sean Robert Wilkins)
Date: Fri, 16 Aug 1996 09:11:54 -0500 (CDT)
Cc: alano@teleport.com, www-security@ns2.rutgers.edu
In-Reply-To: <1.5.4.32.19960815163908.0067deac@email.psu.edu> from "Sean Robert Wilkins" at Aug 15, 96 12:39:08 pm
Reply-To: Albert-Lunde@nwu.edu (Albert Lunde)
From: Albert-Lunde@nwu.edu (Albert Lunde)
Errors-To: owner-www-security@ns2.rutgers.edu
> Actually, to answer your question at the beginning. IE, does come up with a
> dialog if the certain activex control was signed and not verifyed through
> you. And if it was signed, you can check the signiture before you run it. So
> personally i think it is not all that great that this can happen, BUT it
> opens the doors to what a real activex author can do. To have somebody go
> out and cry because they were to stupid enough not to check the signiture is
> sort of dumb is it not??
>
> Think about it people is there not a level of stupidity that reigns here??
Prior experience with anti-virus software indicates that when end-users
are presented frequently enough with questions to answer, they will
sometimes make what an expert would consider the "wrong" choice.
(This is why Disinfectant was written with a minimum of configuable
options.)
--
Albert Lunde Albert-Lunde@nwu.edu
