General discussion

Locked

Ed Bott's Microsoft Challenge--01/04/01

By ebott ·
In this week's Microsoft Challenge TechMail, I provided a link to an impressive new security document from CERT, which provides important information and advice about ActiveX controls. Have you read the "Security in ActiveX" report (http://www.cert.org/reports/activeX_report.pdf)? Are you planning to change your security policy toward ActiveX based on the information in this report? If you already have an ActiveX security policy, share it with your fellow TechRepublic members.

This conversation is currently closed to new comments.

5 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Ed Bott's Microsoft Challenge--01/04/01

by Stillatit In reply to Ed Bott's Microsoft Chall ...

Just when you thought it was safe to stick your nose out onto the net...

The report was a real eye-opener, and we will be implementing controls once we figure out what controls make any sense.

Ultimately we may need to look to Microsoft to re-bottle this genie. This may require a limited-capability VM initiated for each control invocation (which would give you a sandbox). The alternative is a general avoidance of *all* ActiveX, which the user community would have to impose on websites by avoiding sites which do not convert their ActiveX to a "safer" Java. (No, I do not really believe that Java is harmless either.)

Thank you, Ed. You have made my day.

Collapse -

Ed Bott's Microsoft Challenge--01/04/01

by ebott In reply to Ed Bott's Microsoft Chall ...

The question was auto-closed by TechRepublic

Collapse -

Ed Bott's Microsoft Challenge--01/04/01

by dlw6 In reply to Ed Bott's Microsoft Chall ...

When I first became aware of the growing number of exploits that used ActiveX as a vehicle, I brought it to my boss, and he gave me permission to stop it. This was in the summer of 1999.

The users didn't know ActiveX from Active Server Pages, and we should't expect them to know, so there wasn't any use telling them to avoid ActiveX. I reconfigured our network security scanner (ISS RealSecure) to "kill" (TCP Reset) any ActiveX traffic.

It was transparent to the users, except for a few goof-offs who were using the web for entertainment instead of work, and they didn't want to admit that.

For a while, we'd get a few calls that went like this: "Something is wrong with the web." "Really? Mine's working fine. What are you doing or where are you going that's not working as it should?" "Uhhh...well, ummm, maybe that one site is busy. The other sites seem to work. Bye."

To date, no one has justified an official-business need for ActiveX.

Good fortune,
Don

Collapse -

Ed Bott's Microsoft Challenge--01/04/01

by ebott In reply to Ed Bott's Microsoft Chall ...

The question was auto-closed by TechRepublic

Collapse -

Ed Bott's Microsoft Challenge--01/04/01

by ebott In reply to Ed Bott's Microsoft Chall ...

This question was auto closed due to inactivity

Back to Windows Forum
5 total posts (Page 1 of 1)  

Related Discussions

Related Forums