[5209] in bugtraq
Re: Active X exploit.
daemon@ATHENA.MIT.EDU (Alan Cox)
Wed Aug 27 19:55:00 1997
Date: Wed, 27 Aug 1997 21:25:23 +0100
Reply-To: Alan Cox <alan@LXORGUK.UKUU.ORG.UK>
From: Alan Cox <alan@LXORGUK.UKUU.ORG.UK>
X-To: paulle@MICROSOFT.COM
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <28347281A2B5CF119AB000805FD4186603B6F421@RED-77-MSG.dns.microsoft.com> from "Paul Leach" at Aug 26,
97 04:55:47 pm
> What ActiveX doesn't have is a sandbox. That's different than saying
> that there's no security.
>
> ActiveX controls are _signed_ DLLs. You run the code if you trust the
> signer. If you do, you know that no one has tampered with the code since
> the signer signed it.
>
> That's more secure than what I buy at the store.
When sir, was the last time you walked into a store and every time you
looked at a package it automatically installed itself and ran ?
Signing things is good practice, and its one I'm pleased to see many
OS and product vendors adopting. Automatically running things that are
signed is a different matter.
Alan
