Manfredi, Albert E wrote: > CERT said vulnerabilities in IIS and IE could include MIME- type > determination, the DHTML object model, the IE domain/zone > security model and ActiveX scripts. Alternative browsers such as > Mozilla or Netscape may not protect users, the agency warned, if > those browsers invoke ActiveX control or HTML rendering engines. > > The only defense may be completely disabling scripting and > ActiveX controls. Trust the government to be absolutely and completely clueless. Firefox and friends add scriptable browser functionality by way of extensions. Right now, there is no requirement to cryptographically sign these extensions or validate them against an independent 3rd party secure signature authority. Some of these extensions have sloppy code and come from 3rd party websites. Doing harm by way of these alternate browsers is pretty easy too. Not much harder than compromising the host's website and replacing his extension with one that has been altered. Ofcourse, its widely accepted that the users of these browsers are savvy enough to be up on this kind of problem, but with a government reccomendation to use other browsers, you bet a lot of clueless people will be adopting these as their default, under the assumption that they are now safe from anything and everything. There is nothing wrong with ActiveX as a technology. Anyone says so is an idiot. The problem lies in sloppy code and bad implementations, in combination with bad distribution, insecure validation, and a broken hosting model. Unfortunately in this case the current purveyor of this technology messed up. Cheers Kon ---------------------------------------------------------------------- You can UNSUBSCRIBE from the OpenDTV list in two ways: - Using the UNSUBSCRIBE command in your user configuration settings at FreeLists.org - By sending a message to: opendtv-request@xxxxxxxxxxxxx with the word unsubscribe in the subject line.