Slashdot Mirror

← Back to Stories (view on slashdot.org)

Brian Hook on the ActiveX Experience

Posted by Hemos on from the poorly-made-and-maintained dept.

Obiwan Kenobi writes "Brian Hook of id software fame got around to developing on ActiveX and found some minor grievances, particularly in the security department. To quote: "I've been doing some ActiveX coding on the side for a couple days, stuff I'm not familiar with, and I'm just flat out _appalled_ at how bad that entire API and design is. I can make an OCX that basically formats your hard drive, stick it on a Web page with a tag, and if your security settings are set low enough, you'll start formatting your hard drive the minute you visit my Web page.""

3 of 523 comments (clear)

  1. Old news... by Fizzlewhiff · · Score: 0, Redundant

    Gosh, I remember talking about this stuff around 1996. Never saw the widespread abuse that we were predicting back then.

    --

    'Same speed C but faster'
  2. What a lot of bullshit FUD by wamatt · · Score: 1, Redundant

    Ok I don't like activex as much as the next guy but this is:

    1: Old news
    2: Noone cares (see 1)

    Its looking for a story thats not there. Any system can be easily compromised if "security levels are set low". The point is ActiveX is "out the box secure" - that is... unsigned code is not allowed to run.

  3. Re:Gee, that's news... by LO0G · · Score: 0, Redundant

    My question is: What's the difference between a signed ActiveX control and a browser extension?

    Can you meet all of your requirements for a random FF extension?

    Code signing provides evidence to you of the author of the code. So does an extension being located on mozilla.org.

    But you as the user ultimately need to decide if you trust the person who authored (or published) the code.