[opendtv] Re: It's Active X, not IE

  • From: Kon Wilms <kon@xxxxxxxxxxxx>
  • To: opendtv@xxxxxxxxxxxxx
  • Date: Sun, 04 Jul 2004 21:06:57 -0700

Manfredi, Albert E wrote:
> CERT said vulnerabilities in IIS and IE could include MIME- type
> determination, the DHTML object model, the IE domain/zone
> security model and ActiveX scripts. Alternative browsers such as
> Mozilla or Netscape may not protect users, the agency warned, if
> those browsers invoke ActiveX control or HTML rendering engines.
> The only defense may be completely disabling scripting and
> ActiveX controls.

Trust the government to be absolutely and completely clueless.

Firefox and friends add scriptable browser functionality by way of 
extensions. Right now, there is no requirement to cryptographically sign 
these extensions or validate them against an independent 3rd party 
secure signature authority. Some of these extensions have sloppy code 
and come from 3rd party websites.

Doing harm by way of these alternate browsers is pretty easy too. Not 
much harder than compromising the host's website and replacing his 
extension with one that has been altered.

Ofcourse, its widely accepted that the users of these browsers are savvy 
enough to be up on this kind of problem, but with a government 
reccomendation to use other browsers, you bet a lot of clueless people 
will be adopting these as their default, under the assumption that they 
are now safe from anything and everything.

There is nothing wrong with ActiveX as a technology. Anyone says so is 
an idiot. The problem lies in sloppy code and bad implementations, in 
combination with bad distribution, insecure validation, and a broken 
hosting model. Unfortunately in this case the current purveyor of this 
technology messed up.

You can UNSUBSCRIBE from the OpenDTV list in two ways:

- Using the UNSUBSCRIBE command in your user configuration settings at 

- By sending a message to: opendtv-request@xxxxxxxxxxxxx with the word 
unsubscribe in the subject line.

Other related posts: