[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] RIP: ActiveX controls in Internet Explorer? 

"Richard M. Smith" <rms@computerbytesman.com> wrote:

> As everyone knows, ActiveX controls and the <OBJECT> tag has been a big
> source of security holes in Internet Explorer.  ...

And serious exposures in other browsers too.

Remember, the folk writing most of these fancy plug-in doo-dad 
thingamies are largely clueless about "Internet security" and the 
ramifications of accepting arbitrary data, particularly if it is not 
produced by their own software at the "other end of the pipe".  In 
fact, I'd not be surprised if, on average, they are much worse than MS 
but have managed to evade the spotlight due to the preponderance of 
attention several hundred million more potential targets buys MS...  
For just one chronically bad, equal-to-anything-ever-in-IE, example 
just look at the very recently disclosed RealOne Player, et al. bug 
(sorry, URL will wrap):

http://www.digitalpranksters.com/advisories/realnetworks/smilscriptproto
col.html

> ...  However, it looks like
> support for ActiveX controls is going to be removed from Internet
> Explorer.  A small company called Eolas recently won a $521 million
> judgment against Microsoft for patent infringement.  The Eolas patent
> covers plugins in Web pages to show multimedia content.  

Yes -- kinda nice result (and there I was thinking software patents 
were necessarily "all bad"...  8-) ).

> The $521 million payment covers past infringement.  Because Bill Gates
> loathes to pay per-copy royalties, ...

How ironic.  Given that a large chunk of his personal fortune is due to 
the unethical and illegal "Windows tax"collected by his company for all 
those years (and still effectively being paid by many choosing not to 
run his company's OSes), and given his company's (legal department's) 
repeated statements about how much the company respects IP and depends 
on protecting its own IP, and given the clearly gross profiteering the 
company has engaged in to accumulate at least $49 billion cash reserves 
(sorry -- $48.479 billion now), you'd think shelling out a few cents 
per copy of Windows to show your respect for someone else's IP used 
liberally in a critical component of your OS (another irony -- the DoJ 
defense comes full circle to bite Bill's arse to the tune of $521 
million) would be small beer...

> ... it looks like Microsoft is going to
> either partially or completely remove support for ActiveX controls in
> Internet Explorer rather than pay Eolas any more money.  

Cool.

Pity though that that other recent court ruling threatening to require 
MS to ship a true Java client didn't stick -- had it, MS would have had 
an easy solution _and_ an easy out for the total about-face of such a 
move.  Combined these two rulings could have saved its sorry arse 
basically for free, aside from the loss of face...

<<snip patent talk>>
> The W3C has set up a discussion list to talk about replacements for
> ActiveX in Internet Explorer:
> 
>    http://www.w3.org/2003/08/patent

Fortunately the corruption of W3C's role apparent in your chosen 
wording (making W3C the driver of "standards" to cement IE as _the_ web 
browser) is not actually reflected in the content of that page!  8-)

It seems they really are concerned that this patent will upset the 
whole applecart (or at least, a substantial chunk of the applecart 
developer market -- I doubt the folk behind Lynx are too concerned).
That said however, several of the heavy-hitters in W3C potentially have 
a lot to lose if this patent has teeth and is applied to other browsers 
too -- dream of a web without SWF and all those other, lesser third-
party abominations that so seriously detract from the original 
concept...  Then consider the W3C's stated goals:

   http://www.w3.org/Consortium/#goals

and in particular:

   1. Universal Access: To make the Web accessible to all by promoting
   technologies that take into account the vast differences in culture,
   languages, education, ability, material resources, access devices,
   and physical limitations of users on all continents;

> I hope that security people also join this list.  This redesign of the
> Internet Explorer browser looks like the perfect time to put pressure on
> Microsoft to put in place a proper security system for browser add-ins. 

Indeed.

Unfortunately, the page linked above is rather telling -- it does not 
mention the words "secure", "securely" or "security" once.  Given this 
lofty ideal from:

   http://www.w3.org/Consortium/#mission

   ... To meet the growing expectations of users and the increasing
   power of machines, W3C is already laying the foundations for the
   next generation of the Web. W3C's technologies will help make the
   Web a robust, scalable, and adaptive infrastructure for a world of
   information.

I'd say its about time the W3C addressed security issues head-on.  Of 
course, how willing and able a standards body stacked with the 
commercial interests of its industry sector might be to completely 
revamping and correcting its previous errors is a good question...

Given that it has, to date, apparently shown exceedingly scant regard 
for security issues giving us, for example, such miserable things (from 
a security perspective) as embedded, comprehensive scripting whose main 
development goal seems to be encouraging the wholesale deployment of 
the generally dodgy practice of self-modifying code, one must question 
whether it collectively has a single security clue.  Of course, much of 
W3C's sad history in "WWW standards setting" has actually been the 
"standard" _catching up_ with what the (then) major players' browsers 
were already doing, rather than taking the trail-blazing role of 
proactive leadership, considering the greater collective good so 
suggestively embodied in the ideals of its mission statement.

I'd rate its efforts to date "E-minus, could do _much_ better".

But maybe I'm just too old and cynical and W3C actually can do 
something to improve (future) browser security...


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html