Slashdot Mirror

← Back to Stories (view on slashdot.org)

Brian Hook on the ActiveX Experience

Posted by Hemos on from the poorly-made-and-maintained dept.

Obiwan Kenobi writes "Brian Hook of id software fame got around to developing on ActiveX and found some minor grievances, particularly in the security department. To quote: "I've been doing some ActiveX coding on the side for a couple days, stuff I'm not familiar with, and I'm just flat out _appalled_ at how bad that entire API and design is. I can make an OCX that basically formats your hard drive, stick it on a Web page with a tag, and if your security settings are set low enough, you'll start formatting your hard drive the minute you visit my Web page.""

7 of 523 comments (clear)

  1. Wouldn't it be more useful... by Anonymous Coward · · Score: 4, Interesting

    ...to point out potential issues in .Net. Even MS is no longer pushing ActiveX/COM. They are rewriting that trash out of their architectures as fast as they can. Maybe .Net doesn't come off as bad as COM, so can't be used to ridicule MS.

  2. More Ammo by TSR+Wedge · · Score: 5, Interesting

    That is, more ammo to use when telling people to get off of MSIE. The prospect of having a webpage completely wipe their hard drives clean is something that should scare even the most lackidaisical of users.

    --
    What if the hokey-pokey really is what it's all about?
  3. Crazyness by bburton · · Score: 4, Interesting
    "First off, by default IE will not allow you to run an unsigned control. A control can be digitally signed, verifying that it came from you, and the signing process is arduous enough that, say, a bored junior high school student won't bother with the process. Unfortunately, anyone with $20 and who DOES care can get signed relatively easily."
    Besides the obviously stupidness inherent with ActiveX and its purpose, this is another really good reason why I refuse to use it. It doesn't have to be a program that formats my hard drive. It can be a piece of spyware, or some annoying ad pop-up that gets installed. There is no good way to implement natively executed ActiveX controls, at least for anything other than a company or website I know in advance that I trust unconditionally.

    I shutter at the thought of running any code that I (or at least someone else) has not inspected. Just another reason to use Firefox and other opensource software.

    --
    Slashdot = ((Technology + Politics) / Trolls) % Grammar Nazis
  4. Re:Gee, that's news... by Frymaster · · Score: 4, Interesting
    I wonder if anybody knew that before...

    well, it is pretty obvious. although the key phrase here is "if the user's security settings are set low enough."

    i mean, any operating system is vulnerable to an exploit if it's security infrastructure is sufficiently loose. if you set your entire filesystem to 777 then you're completely vulnerable on any unix-based os too.

    the real questions here are:

    1. how low is "sufficiently low"
    2. how low is the security level out of the box
    --

    2 1337 4 u!

  5. Re:Gee, that's news... by Gordonjcp · · Score: 5, Interesting

    If you set your entire filesystem to 777 then loads of stuff will just throw up its metaphorical hands and refuse to run. Try it on a throwaway box some time (actually, User Mode Linux is good for experimenting with Practical Unix Terrorism, but that's a whole other topic).

  6. Re:Nothing new. by arendjr · · Score: 4, Interesting

    While I agree it's somewhat of a flamebait story, there's some validity to bashing ActiveX. You call ActiveX an old technology and so MS shouldn't be bashed for it, but as long as MS hasn't developed something better (which can take quite a while) it should be counted for as their currently best offering in that area, which is quite pathetic really. If you add to that the fact they dropped Netscape plugin support with IE6 so as to get everyone on ActiveX, it's really their own fault they're getting bashed about it.

  7. Re:Yeah, well... by 99BottlesOfBeerInMyF · · Score: 4, Interesting

    Microsoft makes it pretty clear that arbitrary code can be ran from a web page in the security dialog.

    What is lacking is sandboxing. Here is a typical example. I go to a site to use a service. It has an active X control. I need to use the control, but don't fully trust them. My options are A) find another service, or B) run it and hope for the best. That is unacceptable. There needs to be an option C) run it in a sandbox, and don't let it read my files, or overwrite anything. I mean this is not brain surgery here. Java can do it, and Sun does not have the OS code.