[Techtalk] why is Active X in web pages evil, but not Perl/PHP/Javascript?

gebhard dettmar gebhard.dettmar at student.hu-berlin.de
Thu Jan 20 08:34:26 EST 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wednesday 19 January 2005 18:05, Carla Schroder wrote:
> hola techtalkers,
>
> As the subject line says, why is Active X in web pages evil, but not
> Perl/PHP/Javascript? I have some vague notions about operating system
> architecture and being too friendly to remote code execution, but I
> would appreciate some precise notions from people who know.
Well, like the others said	JavaScript runs in the browser. Just check it 
out with code like this (note: it's performed within html, just like php 
but within your browser. php is performed on a server that got a 
GET-request from your browser, typical example is a mail inbox in 
squirrelmail):
<html><head>
<title>evil Popup</title>
</head>
<body onload="plopp()">
<SCRIPT LANGUAGE="JavaScript">
        <!-- hide from old browsers
        function plopp()
          {
          for (i=0; i < 10; i++)
            alert("Like clicking ;-)");
          }
        // done hiding -->
</script>
<p> Here, you have to click 10x. You know what this meant: i < 10000 ;-(
</p></body></html>
AFAIK js is often used for trojan horses but I'm not a virus-expert. I 
know definitely that it's possible to use it for sending eMail from the 
victim's mail client
But ActiveX is much worse. It's the MS pendant to java applets (which 
means: a full blown application). The security policy of java is to let 
applets run in a secure environment called sandbox. MS has just a so 
called authenticode - which is a joke ( a certificate to verify the 
origin. It doesn't prevent the app to run on the user's system ;-(
ActiveX manages e.g. the IE plugins (pdf, Flash, Shockwave etc.) which 
makes it extremely uncomfortable to switch it off. 
One thing to JavaScript: I cannot think of any security issue on Linux. On 
Windows + IE it's dangerous. IE's security settings don't divide between 
VBScript, JavaScript etc, it all is just called 'Scripting'
Then add IE's deep integration into the system and you can easily imagine 
why especially ActiveX is supposed to be 'evil' :-)
> thanks!
regards gebhard
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFB7tJ89EYTTD7FjIERAiC/AJ4z7w7bP8wBjzmO3Wn9fZgZeag1mACeLG1v
FQnAYt6LnnIf9ZCO806RgjM=
=FEV1
-----END PGP SIGNATURE-----

More information about the Techtalk mailing list