Manfredi, Albert E wrote:
> CERT said vulnerabilities in IIS and IE could include MIME- type
> determination, the DHTML object model, the IE domain/zone
> security model and ActiveX scripts. Alternative browsers such as
> Mozilla or Netscape may not protect users, the agency warned, if
> those browsers invoke ActiveX control or HTML rendering engines.
>
> The only defense may be completely disabling scripting and
> ActiveX controls.
Trust the government to be absolutely and completely clueless.
Firefox and friends add scriptable browser functionality by way of
extensions. Right now, there is no requirement to cryptographically sign
these extensions or validate them against an independent 3rd party
secure signature authority. Some of these extensions have sloppy code
and come from 3rd party websites.
Doing harm by way of these alternate browsers is pretty easy too. Not
much harder than compromising the host's website and replacing his
extension with one that has been altered.
Ofcourse, its widely accepted that the users of these browsers are savvy
enough to be up on this kind of problem, but with a government
reccomendation to use other browsers, you bet a lot of clueless people
will be adopting these as their default, under the assumption that they
are now safe from anything and everything.
There is nothing wrong with ActiveX as a technology. Anyone says so is
an idiot. The problem lies in sloppy code and bad implementations, in
combination with bad distribution, insecure validation, and a broken
hosting model. Unfortunately in this case the current purveyor of this
technology messed up.
Cheers
Kon
----------------------------------------------------------------------
You can UNSUBSCRIBE from the OpenDTV list in two ways:
- Using the UNSUBSCRIBE command in your user configuration settings at
FreeLists.org
- By sending a message to: opendtv-request@xxxxxxxxxxxxx with the word
unsubscribe in the subject line.
