[Techtalk] why is Active X in web pages evil,
but not Perl/PHP/Javascript?
Wim De Smet
kromagg at gmail.com
Thu Jan 20 21:30:18 EST 2005
On Wed, 19 Jan 2005 11:27:59 -0600, Meredith L. Patterson
<mlp at thesmartpolitenerd.com> wrote:
> Quoting Carla Schroder <carla at bratgrrl.com>:
>
> > As the subject line says, why is Active X in web pages evil, but not
> > Perl/PHP/Javascript?
>
> Perl and PHP run on the server side, rather than the client side. As such, they
> have no access to the user's machine. It's still possible to use information
> that's provided via the http protocol to scare people who don't know what
> they're doing ("How does your webpage know that I'm using Mozilla?!?"), but all
> processing is done on the server side, which sends back html[1] data and is
> displayed.
>
> PHP has security holes crop up from time to time, but they're a danger to the
> server, not the client.
>
> Javascript I know very little about (other than that I don't like writing it),
> so I'll let other people talk about it. It does execute in the client's browser,
> and there are indeed Javascript exploits. (One subtle difference: Javascript is
> *compiled* on the server side, but the bytecode is *executed* on the client side.)
Most Javascript exploits are limited in scope compared to ActiveX tho.
They usually crop up in IE because of the microsoft JScript
extensions, which allowed you to do such nifty things as delete files
on the hd etc.
>
> And I know nothing whatsoever about ActiveX, other than that most people turn
> both it and Javascript off in their browsers.
One particular nasty aspect of ActiveX is the idea of "signed"
controls. Once the user accepts the validity of a signed control he is
never bothered with it again. Problem is: most users will accept all
signed controls because microsoft seems to let on that they are safe.
In reality, all you need is 20 bucks or so to get a valid certificate.
Then there is the fact that if you happen to get hold of a general
enough signed control (say a control that accepts parameters for files
to install on a persons' computer) and that user has accepted the
signature on _another_ server he is now at your mercy becs he will
never be asked wether he wants to execute the code (which is now
happily installing spyware).
So yeah, I'd say activex is definitely evil.
greets,
Wim
More information about the Techtalk
mailing list