Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Active X exploit.
From: paulle () MICROSOFT COM (Paul Leach)
Date: Tue, 26 Aug 1997 16:55:47 -0700


What ActiveX doesn't have is a sandbox. That's different than saying
that there's no security.

ActiveX controls are _signed_ DLLs. You run the code if you trust the
signer. If you do, you know that no one has tampered with the code since
the signer signed it.

That's more secure than what I buy at the store.


----------
From:         Andreas Bogk[SMTP:andreas () ARTCOM DE]
Reply To:     Andreas Bogk
Sent:         Tuesday, August 26, 1997 3:40 PM
To:   BUGTRAQ () NETSPACE ORG
Subject:      Re: Active X exploit.

"Peter" == Peter Shipley <shipley () DIS ORG> writes:

    Peter> There is a new expliot for active X
    Peter>     http://www.network-security.com/activex/

This exploit is not new, a similiar program has been around on

http://www.thur.de/home/steffen/activex/index_e.html

since march. And the principle is the same on all ActiveX
exploits. There simply is no security, ActiveX controls are simple
DLLs.

Andreas

--
Never underestimate the value of fprintf() for debugging purposes.




  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault