[4980] in WWW Security List Archive
Re: Prediction:Plug-ins will go away (Re: Automatic trojans)
daemon@ATHENA.MIT.EDU (David M. Chess)
Fri Apr 4 12:16:35 1997
Date: Fri, 4 Apr 97 10:04:56 EST
From: "David M. Chess" <CHESS@watson.ibm.com>
To: WWW-SECURITY@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
> From: Richard Costine <rjc@n2k.com>
> Yes. Do I trust ActiveX more than some
> arbitrary piece of code (ie. plugin) that I download from the net. Yes.
> It's supposed to run in some kind of sandbox.
It is? What do you base that statement on? There is no "sandboxing"
on ActiveX that I'm aware of; once you've said "yes, let it run",
it's running on the metal, and it can do anything any normal
program could do. Just like a plugin, or a random .EXE file.
The only security in ActiveX is the initial, possibly signature-based,
decision about whether or not to allow the control to run at all.
DC
