[Techtalk] why is Active X in web pages evil,
but not Perl/PHP/Javascript?
Conor Daly
conor.daly at cod.utvinternet.com
Thu Jan 20 09:59:50 EST 2005
On Wed, Jan 19, 2005 at 12:11:58PM -0500 or so it is rumoured hereabouts,
Elwing thought:
>
> In the case of ActiveX, you create code that is downloaded to the
> client, then the client executes it with the permissions of the user
> running IE. ActiveX has all kinds of hooks into the operating system
> (all the same ones IE has which makes it almost impossible to remove
> from a Windows system), including the ability to write registry entries,
> read address books, etc. Theoretically, IE sandboxes ActiveX code, but
> many users turn this option off because it's annoying, it's also the
> default to run activeX code on almost all older versions of Windows.
So essentially, ActiveX (and MS Windows vbscript) give the server root
access to your machine... It's detailed in "EXTREME RISKS IN MICROSOFT
VBS SCRIPTING HOST" at: http://www.nsclean.com/psc-vbs.html
Conor
--
Conor Daly <conor.daly at oceanfree.net>
Domestic Sysadmin :-)
---------------------
Hobbiton.cod.ie
22:45:02 up 3:18, 1 user, load average: 0.00, 0.00, 0.00
More information about the Techtalk
mailing list