Slashdot Mirror
Brian Hook on the ActiveX Experience
Obiwan Kenobi writes "Brian Hook of id software fame got around to developing on ActiveX and found some minor grievances, particularly in the security department. To quote: "I've been doing some ActiveX coding on the side for a couple days, stuff I'm not familiar with, and I'm just flat out _appalled_ at how bad that entire API and design is. I can make an OCX that basically formats your hard drive, stick it on a Web page with a tag, and if your security settings are set low enough, you'll start formatting your hard drive the minute you visit my Web page.""
I think this could be considered as a proof of how ActiveX was vapor-designed by Microsoft to compete with original Netscape's plugins.
1. Examine more or less how competition works
2. Quick! Make a prototype and flat-out obvious bugs
(Missing step: redesign well taking into account security considerations)
3. Overhype
4. Profit!
So now we're stuck with an obsolete plugin model, which Microsoft neglects to fix because this would break backwards compatibility.
THE END.
I'm really finding it hard to give this guy any credibility at all. First off, none of the issues he cites are in any way new, these problems are old hat. But then to get all nit picky about the details of these issues by professing things like 'I don't use ATL, I write my ActiveX in MFC.' Shit, I don't even know where to begin. The guys just now digging into ActiveX and has decided flat out that MFC is the way to do it? Strike 1, and strike 2. Not immediately dropping it and moving on to something more suitable, you're out man.
I'm dumbfounded by this.
And editors, you're not helping any by posting stories like this. It's all too obvious that this article was posted because it fits the anti-MS slant quite well. That's all fine and good, but this article brings absolutely NOTHING to the table except another excuse to bash MS and an OLD MS technology.
No Comment.
even WIDESPREAD coverage that the site is LETHAL to a computer wouldn't keep people from visiting it. When the "I Love You" virus hit a while back, we actually had users open the e-mail "just to make sure" it wasn't really someone sending them a love letter (like they EVER got them before and would SUDDENLY begin to, entirely by coincidence, right then...)
Like the man said about tsunami alerts in the United States: "There's still a large segment of the population that would go get their kids out of school so they could drive to the beach and watch the big waves..."
This space intentionally left (almost) blank.
...but it should be repeated until everyone has heard it loud and clear. ActiveX is dangerous.
Well people start getting these warning messages and they realize that they are usually there to help them out they just go and lower their security settings so they don't get botherd by the messages. While the average useser plays dumb they will ineateate a high amount of intelegence to say get his online poker game to run. But after it corrupts his drive he will point to you and tell you to fix it.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
And what may I ask makes a signed active-X control any less dangerous than an unsigned one?
Joe Llywelyn Griffith Blakesley
[This post is in the public domain (copyright-free) unless otherwise stated]
i mean, any operating system is vulnerable to an exploit if it's security infrastructure is sufficiently loose.
The problem is, there aren't many OS's out there that arbitrarily run dangerous code from a web page with no interaction from the user other than visiting the page in question, low security settings or not.
he means internet explorer security settings.
and MOST people run with IE set for trust everything because they have had trouble with the random poorly designed bank site.
so many people can get hosed easily. that is why we block ALL active X at the firewall. no active X for any reason what-so-ever. and it does not affect our company one tiny bit except keep us a bit cleaner of spyware.
Do not look at laser with remaining good eye.
any operating system is vulnerable to an exploit if it's security infrastructure is sufficiently loose. if you set your entire filesystem to 777 then you're completely vulnerable on any unix-based os too.
/tmp or /mnt/deleteme directory, you can make a web page that will delete it all from within my Firefox browser? On my Fedora Core 3 laptop?
Really? So, if I chmod 777 my, uh,
Are you sure?
See, to do this, you have to get a script or something to run on my system to delete these locations. Show me where even lowly jscript allows for this...
Now, I'm no jscript guru, so I did a google search for jscript delete files and, on at least the first page or two, only came up with stuff having to do with the ".NET framework" or involving ActiveX!
And the point isn't that files can be deleted, the point is that the API for ActiveX allows somebody to do this remotely.
I have no problem with your religion until you decide it's reason to deprive others of the truth.
and MOST people run with IE set for trust everything because they have had trouble with the random poorly designed bank site. .Most people run it with default settings (which are pretty reasonable) because they do not know how to change them anyway.
----------
Bullshit
That's it exactly.
To put it another way, if you change a single setting in a single program (IE) any web page can zap your system. To make your *nix box as insecure, you have to change the file permissions for every single file on the system.
IE is a single point of failure. That's what makes the comparison invalid. You'd have to go out of your way to screw up a *nix box that bad.
Weaselmancer
rediculous.
First of all, this is all allowed remotely. Second of all, if you 777 your drive, any major service will refuse to start. Most good and properly coded servers like apache and ssh check their permissions and if something is out of wack, they just won't run. A self-audit helps to prevent against even loose OS security.
Regards,
Steve
Sure. But you know the signer. And you agree to install it.
Same is true for a firefox extension. By installing the extension, you're saying that you know and trust the originator of the extension.
Code signing allows you to KNOW the originator of the control - they had to pay money to Verisign (or whoever) to sign their code, which rules out a lot of random malware.
Now then, it IS possible to hide the origin of the control (if the control comes from "You must agree to load this control to view your DivX pr0n" what're you going to do?)
But at least signing gives you verifiability.
Of course you have to trust the CA who issued the certificate that signed the control, the same thing holds true for SSL web pages and firefox extensions.
I see your logic: these people give money to Verisign (who we all know are a very ethical company) so they must be good so software they give away must not damage my PC. Actually, no, I don't see your logic.
Joe Llywelyn Griffith Blakesley
[This post is in the public domain (copyright-free) unless otherwise stated]
Does Verisign review the source code for the controls that its certificates are applied to? I think not.
About the only thing that we can "trust" is that Verisign got a check from the developers. The ability to mail a check != trustworthiness.
"But at least signing gives you verifiability."
OK, so in your search you find that the extension was signed by a company in the Bermudas or India or something. Do you really care to take it further than that?
"Of course you have to trust the CA who issued the certificate that signed the control"
There are no trustworthy CAs. They've all made mistakes, and there will be mistakes in the future. The whole CA thing, mandated through browser warnings and such, is a "false sense of security" scam.
There is a difference. An active-x control is embedded in a web page. Just visiting the page can/will download it, install it and run it automatically (depending on your browser settings).
.exe in that regards.
Not so with Firefox extensions. You have to look for them, choose to install them (by clicking on an install link) then accept to install it. It's no different than downloading and installing an
But the answer to you question is simple. 1) Mozilla only suggests downloading extensions from it's own update.mozilla.org, 2) that requires that all extensions go through a brief testing period. 3) even though this testing period may not catch the malicious code, one can assume that some one will, and since there are literaly millions of firefox users. Literaly hundreds of thousands of people test the extensions. If anything goes wrong there are speedy and direct feedback methods, the extension is open source so it can be checked, and will be removed from umo at the first glimpse of an issue. that's why you can trust somethine from mozilla. Anders
Not quite correct. What you said was true for JDK1.1 and earlier. Since 1.2 (released back in 1997 or so) you can have it display a warning saying "this applet wishes to connect to the following server: 123.123.123.123" [Allow|Deny]. Thanks to the sandboxing, security in Java is not an all or nothing affair. The applet developer can select certain permissions it requires.
The problem with this design is that it requires the person operating the browser to be a security expert in order to know what to do.
There are tons of specific permissions that an applet can ask for. Do you know the implications of each? Does your Grandmother?
While this seems like a useful system to folks who spend their lives thinking about security, in reality the question asked by the applet is always "Do you trust me" The finer grained stuff takes an expert to decipher so it does not really provide finer grained security unless the browser is being operated by an expert.
Futhermore, the security interface for ActiveX sucks balls - if you accept a control once, your browser will happily upgrade it when you go to that page next, whether or not you want to. It's really, really easy to accidently install an ActiveX control, signed or not. Extensions are in a very different ballpark than ActiveX controls, althought they do have some of the same issues. Why are you so dead-set on defending this totally braindead and almost universally despised technology? Not even Microsoft claims they're a good idea.
For those old enough to remember Windows95 and Windows3.1, activeX was called "ole" short for Object Linking and Embedding.
It was used in VB to drag and drop controls and parts of applications. Thats it.
For example you could slap together an app that uses Excel by using the ole (activeX) control from the program and putting it on the form.
Anyway its powerfull and security is not an issue since it was designed to be used in internal apps at compile time by VB and VC developers.
MS was panicked by netscape plugins wbecause ms didn't control it. What MS should have done was base ActiveX on ole, take out some features and add security oriented ones in return. Instead they gave out the ole controls with a dumb hackable trust based pop-up as a bandaid solution for the security.
http://saveie6.com/
Sure. But you know the signer. And you agree to install it.
I'd rather have the Java model, where it requests specific permissions. I actually don't know the author, unless it's MS or Macromedia or someplace similar. Real security is proactive, not reactive. Besides, most software absolves itself of all responsibility, so what could you really do? Show up at their door with a baseball bat?
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
Of course, these things are not restricted to a specific operating system and applies to an amazing amount of software as well. The technique goes under the name "social engineering".
Beware: In C++, your friends can see your privates!
...to play in FireFox's sandbox, not to t0t411`/ 0wn3rz uR |-|4r|) |)15k or any other hardware you happen to have, which is the level of trust you're extending to ActiveX.
There's a slight difference.
Got time? Spend some of it coding or testing