[News] [Rival] ActiveX Makes Windows a Risky Platform for Surfing - Linux

This is a discussion on [News] [Rival] ActiveX Makes Windows a Risky Platform for Surfing - Linux ; Rogue ActiveX controls menace users ,----[ Quote ] | Flaws in ActiveX controls are being increasingly used to run security | exploits. | | [...] | | An attack exploiting this vulnerability can lead to arbitrary code execution | by ...

+ Reply to Thread
Results 1 to 9 of 9

Thread: [News] [Rival] ActiveX Makes Windows a Risky Platform for Surfing

  1. [News] [Rival] ActiveX Makes Windows a Risky Platform for Surfing

    Rogue ActiveX controls menace users

    ,----[ Quote ]
    | Flaws in ActiveX controls are being increasingly used to run security
    | exploits.
    |
    | [...]
    |
    | An attack exploiting this vulnerability can lead to arbitrary code execution
    | by a remote attacker," a blog posting by Symantec researcher Parveen
    | Vashishtha warns.
    `----

    http://www.theregister.co.uk/2007/10/24/activex_vulns/

    'Innovating' ways of excluding competition from the Web (ActiveX).


    Related:

    RealPlayer Attack Circulating

    ,----[ Quote ]
    | The attack exploits a flaw in an ActiveX browser helper object, software that
    | RealPlayer employs to help users who are experiencing technical difficulties,
    | so the PC must be using the Internet Explorer browser to be affected by this
    | particular attack, Symantec said. *
    `----

    http://news.yahoo.com/s/pcworld/2007...pcworld/138706


    Yahoo! battered by second ActiveX vulnerability

    ,----[ Quote ]
    | The vulnerabilities affect versions of Yahoo! Messenger 8.x prior to version
    | 8.1.0.419, released late last week. Users are urged to upgrade.
    `----

    http://www.theregister.co.uk/2007/09..._activex_vuln/


    Way Too ActiveX

    ,----[ Quote ]
    | Today, over at Symantec's Security Response Weblog, Greg Ahmad
    | reveals startling--and I do mean shocking--increases in ActiveX
    | vulnerabilities. According to Symantec, ActiveX vulnerabilities
    | stayed in the 12- to- 15-a-year range from 2002 to 2005. For
    | 2006, the number of vulnerabilities "reached 50," with 42 in
    | the second half of the year--coincidentally, the same time
    | period Microsoft finished up and released Internet Explorer 7.
    `----

    http://www.microsoft-watch.com/conte...129TX1K0000535
    http://tinyurl.com/33cfno


    Acer puts Active X hole on laptops

    ,----[ Quote ]
    | Laptop outfit Acer seems to have placed an Active X control on its
    | computers that seems to allow webpages to execute any program.
    |
    | This huge hole in network security has been installed on board Acer
    | lap-tops since 1998.
    `----

    http://www.theinquirer.net/default.aspx?article=36773


    Adobe Confirms 'Critical' Reader, Acrobat Exploits With IE

    ,----[ Quote ]
    | A critical security vulnerability in an ActiveX control used by
    | Internet Explorer could allow malicious hackers to use Adobe's
    | Reader and Acrobat software to launch PC hijack attacks,
    | according to a warning from Adobe Systems.
    `----

    http://www.pcmag.com/article2/0,1895,2066079,00.asp


    Month of ActiveX bugs project begins with two Office flaws

    ,----[ Quote ]
    | A hacker known as shinnai kicked off his "Month of ActiveX Bugs"
    | (MoAxB) project with a bang by exposing a number of severe
    | vulnerabilities affecting OCX controls in Microsoft Office.
    `----

    http://scmagazine.com/us/news/articl...-office-flaws/


    Vista security overview: too little too late

    ,----[ Quote ]
    | So, what have we got here? An adequately secure version of Windows,
    | finally? I think not. We have got, instead, a slightly more secure
    | version than XP SP2. There are good features, and there are good
    | ideas, but they've been implemented badly. The old problems never
    | go away: too many networking services enabled by default; too
    | many owners running their boxes as admins and downloading every
    | bit of malware they can get their hands on. But MS has, in a
    | sense, shifted the responsibility onto users: it has addressed
    | numerous issues where too much was going on automatically and
    | with too many privileges. But this simply means that the ownerw
    | ill be the one making a mess of their Windows box.
    |
    | Data hygiene is still an absolute disaster on Windows. In fact,
    | it's worse than it ever was in some ways, and that's very bad
    | indeed. Browser traces still in the registry, heavy and
    | complicated indexing to improve search, new locations where data
    | is being stored. It all adds up to a privacy nightmare. Keeping
    | a Vista box "clean" is going to be impossible for all but the
    | most knowledgeable and fastidious users.
    |
    | So don't rush out to buy Vista in hopes of getting much in
    | return security-wise. I do like some of the changes, at least
    | in theory, or as a decent platform on which to build an
    | adequately secure version of Windows one day. But that day,
    | if it ever comes, will be well in the future.
    `----

    http://www.theregister.co.uk/2007/02...rity_oversold/


    Symantec: Microsoft conflict of interest is damaging internet

    ,----[ Quote ]
    | Symantec's chief executive has lambasted Microsoft for a dangerous
    | conflict of interest as both the provider of an operating system
    | and seller of software designed to secure its users.
    |
    | [...]
    |
    | Thompson told RSA delegates: "You wouldn't want the company that is
    | keeping your books to audit your books. The same logic should apply.
    | You wouldn't want the company that created your company's operating
    | platform to be the one that is securing it from a broad range of
    | threats. It's a huge conflict of interest."
    `----

    http://www.theregister.co.uk/2007/02...son_microsoft/

  2. Re: [News] [Rival] ActiveX Makes Windows a Risky Platform for Surfing

    On Thu, 25 Oct 2007 15:13:41 +0100, Roy Schestowitz wrote:

    > Rogue ActiveX controls menace users
    >
    > ,----[ Quote ]
    >| Flaws in ActiveX controls are being increasingly used to run security
    >| exploits.
    >|
    >| [...]
    >|
    >| An attack exploiting this vulnerability can lead to arbitrary code execution
    >| by a remote attacker," a blog posting by Symantec researcher Parveen
    >| Vashishtha warns.
    > `----
    >
    > http://www.theregister.co.uk/2007/10/24/activex_vulns/
    >
    > 'Innovating' ways of excluding competition from the Web (ActiveX).


    This is such a red herring. None of these problems are related to ActiveX
    itself. It's flaws in the plug-ins. Mozilla has binary, non-sandboxed
    native code plug-ins as well, and nothing in Mozilla would prevent a flaw
    in one of those plug-ins from being used to gain control of a machine.

    The difference is tha Mozilla is not the browser used, and supported, by
    the majority of plug-in makers, and as such has far fewer potential targets
    for attackers to probe.

  3. Re: [News] [Rival] ActiveX Makes Windows a Risky Platform forSurfing

    On Thu, 25 Oct 2007 10:01:38 -0500, Erik Funkenbusch wrote:

    > On Thu, 25 Oct 2007 15:13:41 +0100, Roy Schestowitz wrote:


    Snip ...

    >> http://www.theregister.co.uk/2007/10/24/activex_vulns/
    >>
    >> 'Innovating' ways of excluding competition from the Web (ActiveX).

    >
    > This is such a red herring. None of these problems are related to
    > ActiveX itself. It's flaws in the plug-ins. Mozilla has binary,
    > non-sandboxed native code plug-ins as well, and nothing in Mozilla would
    > prevent a flaw in one of those plug-ins from being used to gain control
    > of a machine.
    >
    > The difference is tha Mozilla is not the browser used, and supported, by
    > the majority of plug-in makers, and as such has far fewer potential
    > targets for attackers to probe.


    I'm no expert, but AFAIK it's easier to gain control of a machine if the
    vulnerable app is running with root (or admin, in that netherworld)
    privileges than if the app is being run as a non-privileged user. I think
    a poll is in order here:

    How many linux users browse the web as root?

    How many Windows users browse the web as admin?

    Be truthful.

    --
    This message is brought to you by your Department of Redundancy Department.

  4. Re: [News] [Rival] ActiveX Makes Windows a Risky Platform for Surfing

    ____/ Peter Köhlmann on Friday 26 October 2007 01:46 : \____

    > skydweller wrote:
    >
    >> On Thu, 25 Oct 2007 10:01:38 -0500, Erik Funkenbusch wrote:
    >>
    >>> On Thu, 25 Oct 2007 15:13:41 +0100, Roy Schestowitz wrote:

    >>
    >> Snip ...
    >>
    >>>> http://www.theregister.co.uk/2007/10/24/activex_vulns/
    >>>>
    >>>> 'Innovating' ways of excluding competition from the Web (ActiveX).
    >>>
    >>> This is such a red herring. None of these problems are related to
    >>> ActiveX itself. It's flaws in the plug-ins. Mozilla has binary,
    >>> non-sandboxed native code plug-ins as well, and nothing in Mozilla would
    >>> prevent a flaw in one of those plug-ins from being used to gain control
    >>> of a machine.
    >>>
    >>> The difference is tha Mozilla is not the browser used, and supported, by
    >>> the majority of plug-in makers, and as such has far fewer potential
    >>> targets for attackers to probe.

    >>
    >> I'm no expert, but AFAIK it's easier to gain control of a machine if the
    >> vulnerable app is running with root (or admin, in that netherworld)
    >> privileges than if the app is being run as a non-privileged user. I think
    >> a poll is in order here:
    >>
    >> How many linux users browse the web as root?
    >>

    > Practically none
    >
    >> How many Windows users browse the web as admin?
    >>

    >
    > Practically all of them


    Vista has arguably made things worse. Consider:


    Windows Vista Tip: Run as administrator

    ,----[ Quote ]
    | This will make every admin operation prompt you for credentials
    | while it is great if you do a lot of remote operations it can
    | become tedious if you are performing a lot of local admin operations.
    `----

    http://windowsconnected.com/blogs/jo...nistrator.aspx
    http://tinyurl.com/y64c6r


    The Truth About User Privileges

    ,----[ Quote ]
    | Has the time finally come for the least-privilege user -- you know,
    | setting your Windows client machines to run without system
    | administrator rights?
    |
    | [...]
    |
    | Today, some Windows applications just won't run properly on a
    | desktop without administrative rights. "It's a dirty little
    | secret people sweep under the rug because they're not able to
    | do much about the problem. A lot of applications and pieces
    | of environments won't work if users aren't given admin rights,"
    | says Steve Kleynhans, vice president for Gartner's client
    | platforms group. "If you can get applications to function
    | with lower rights, in a lot of cases it hampers the user
    | experience."
    `----

    http://www.darkreading.com/document....WT.svl=news1_1


    Vista User Account Control and the Linux Superuser

    ,----[ Quote ]
    | So, when I was researching the way to determine the shadow storage
    | size on Windows Vista for my February 23rd entry, I wasn't too surprised
    | when I got an error message about needing to elevate my privilege after
    | I tried to run vssadmin from a standard command shell. What a Linux
    | system would have done right there would be to ask me for the
    | administrator password.
    `----

    http://weblog.infoworld.com/stratdev...user_acco.html


    Vista's UAC needs an overhaul. Ideas?

    ,----[ Quote ]
    | It seems like everyone, other than possibly Microsoft's Vista team
    | itself, seems to believe that the User Account Control (UAC) in
    | Vista already needs an overhaul.
    `----

    http://blogs.zdnet.com/microsoft/?p=277


    Windows Vista: Secure Or Just Frustrating?

    ,----[ Quote ]
    | The problem with Vista’s security implementation is that lots of warning
    | dialog boxes don't provide security. Users get frustrated and eventually stop
    | reading them altogether. They think of them as annoyances, an extra click
    | required to get a feature to work. Is Windows Vista really more secure than
    | the operating systems that preceded it, or simply more frustrating? Since
    | Microsoft left us with no choice but to buy a PC with Vista pre-installed,
    | we’re inevitably stuck with it. Let the frustration begin. * * *
    `----

    http://www.theitarticles.com/windows...ustrating/264/


    ,----[Quote ]
    | "Oh, excuse me, is this supposed be a joke? We all remember all those
    | Microsoft's statements about how serious Microsoft is about security in
    | Vista and how all those new cool security features like UAC or Protected
    | Mode IE will improve the world's security. And now we hear what?
    `----

    http://theinvisiblethings.blogspot.c...-big-joke.html


    Vista's Faux Security

    ,----[ Quote ]
    | At the end of the new Apple ad, the security guard finally asks the
    | hapless PC: "You are coming to a sad realization. Cancel or allow?"
    |
    | Unfortunately, after conditioning the world to click "allow," all
    | Microsoft will have accomplished is to pass the buck to the hapless
    | PC user, trying to make the user responsible for anything bad that
    | happens because they ultimately chose to allow it.
    |
    | While that may allow Microsoft?s security engineers to sleep at night,
    | the rest of us won't rest as easy until Vista's holes are plugged
    | with something more substantial than a dialog box.
    `----

    http://www.esecurityplanet.com/artic...1162_3660976_2


    Vista's UAC security is hopeless, says Symantec

    ,----[ Quote ]
    | A key security feature of Windows Vista, User Account Control (UAC) is
    | still nearly unusable, Symantec has said.
    |
    | At a press presentation last week, Symantec vice president of
    | engineering Rowan Trollope said Symantec's customers had found the
    | feature so "chatty", that it was a burden on users, potentially
    | creating new help-desk calls.
    `----

    http://www.techworld.com/news/index.cfm?RSS&NewsID=7769


    Windows Vista set to overwhelm helpdesks

    ,----[ Quote ]
    | The Windows Vista features that will most benefit end users are
    | likely to cause a flood of calls to enterprise IT help desks, it
    | was claimed today.
    |
    | SupportSoft predicted that one of the main areas in which
    | end-users are likely to experience problems will be dealing
    | with Vista's security features.
    `----

    http://www.itnews.com.au/newsstory.aspx?CIaNID=44424


    Windows Forces you to use UAC to Add a Printer

    ,----[ Quote ]
    | Another bug that got past the extensive RTM testing process? Nope.
    | It's a bug that came into existence during the finalization process.
    | This bug wasn't there in RC2, but it's most definitely there now. All
    | we can say is, hopefully this gets patched before SP6.
    `----

    http://neosmart.net/blog/archives/326


    Vista: Slow and Dangerous

    ,----[ Quote ]
    | Most of the time I spent testing Vista was with sluggish pre-release
    | versions. I expected things to improve when I ran the finished software
    | on PCs configured for the new Windows version. I now realize that
    | Vista really is slow unless you throw a lot of hardware at it.
    | Microsoft claims it will run with 512 megabytes of memory. I had
    | recommended a minimum of a gigabyte, but 2 GB is more like it if
    | you want snappy performance.
    |
    | [...]
    |
    | The most exasperating thing about Vista, though, is the security
    | feature called User Account Control. UAC, satirized in an Apple
    | ad as a security guy who constantly interrupts a conversation,
    | appears as a pop-up asking permission before Windows...
    `----

    http://www.keepmedia.com/pubs/Busine.../03/26/3124001


    Microsoft: Turn off Vista's UAC to fix problems

    ,----[ Quote ]
    | I've been fairly critical of the new User Access Control (UAC) in
    | Windows Vista, as I feel it is too secure to be usable, which will
    | probably result in many users and corporations turning off and
    | losing out on what could have been Vista?s best feature.
    |
    | [...]
    |
    | He recommends turning UAC back on after fixing the problem, but
    | when users need to do this more than a couple of times to get a
    | usable system, they will just leave it turned off.
    `----

    http://beta.amanzi.co.nz/2006/11/13/...-fix-problems/


    'Vista's Account Protection: One Click and It's Gone'

    ,----[ Quote ]
    | One of Vista's big security features is 'User Account Protection'
    | (or 'User Account Control') which pops up and asks for user
    | authentication before software can make any administrative changes to
    | the system. But the TweakVista utility can turn off UAP in one click...
    `----

    http://securitydot.net/news/exploits...2661/news.html

    Did you know that Microsoft has just patented sudo?


    >> Be truthful.
    >>

    >
    > Erik? You've got to be kidding


    --
    ~~ Best of wishes

    ..oʍʇ sɐ buıɥʇ ɥɔns ou s,ǝɹǝɥʇ 'ɹǝpuǝq 'ʎɹɹoʍ ʇ,uop :ʎɹɟ
    ..oʍʇ ɐ ʍɐs ı ʇɥbnoɥʇ ı puɐ ...ǝɹǝɥʍʎɹǝʌǝ soɹǝz puɐ sǝuo .ɯɐǝɹp 1nɟʍɐ uɐ
    ʇɐɥʍ 'ɥɥɥɐ :ɹǝpuǝq
    http://Schestowitz.com | Open Prospects | PGP-Key: 0x74572E8E
    Tasks: 116 total, 1 running, 113 sleeping, 0 stopped, 2 zombie
    http://iuron.com - knowledge engine, not a search engine

  5. Re: [News] [Rival] ActiveX Makes Windows a Risky Platform for Surfing

    skydweller wrote:

    > On Thu, 25 Oct 2007 10:01:38 -0500, Erik Funkenbusch wrote:
    >
    >> On Thu, 25 Oct 2007 15:13:41 +0100, Roy Schestowitz wrote:

    >
    > Snip ...
    >
    >>> http://www.theregister.co.uk/2007/10/24/activex_vulns/
    >>>
    >>> 'Innovating' ways of excluding competition from the Web (ActiveX).

    >>
    >> This is such a red herring. None of these problems are related to
    >> ActiveX itself. It's flaws in the plug-ins. Mozilla has binary,
    >> non-sandboxed native code plug-ins as well, and nothing in Mozilla would
    >> prevent a flaw in one of those plug-ins from being used to gain control
    >> of a machine.
    >>
    >> The difference is tha Mozilla is not the browser used, and supported, by
    >> the majority of plug-in makers, and as such has far fewer potential
    >> targets for attackers to probe.

    >
    > I'm no expert, but AFAIK it's easier to gain control of a machine if the
    > vulnerable app is running with root (or admin, in that netherworld)
    > privileges than if the app is being run as a non-privileged user. I think
    > a poll is in order here:
    >
    > How many linux users browse the web as root?
    >

    Practically none

    > How many Windows users browse the web as admin?
    >


    Practically all of them

    > Be truthful.
    >


    Erik? You've got to be kidding
    --
    Modern man is the missing link between apes and human beings.


  6. Re: [News] [Rival] ActiveX Makes Windows a Risky Platform for Surfing

    Peter Khlmann wrote:

    >> Be truthful.

    >
    >Erik? You've got to be kidding


    Hehe. I think he'd injure himself trying.


  7. Re: [News] [Rival] ActiveX Makes Windows a Risky Platform for Surfing

    chrisv wrote:

    > Peter Köhlmann wrote:
    >
    >>> Be truthful.

    >>
    >>Erik? You've got to be kidding

    >
    > Hehe. I think he'd injure himself trying.


    Yeah, I think he'd have an infarction.

    --
    Operating systems: FreeBSD 6.2, PC-BSD 1.4,
    Testing: FreeBSD 7.0-BETA1.5
    Linux systems: Debian 4.0, PCLinuxOS 2007,
    Kubuntu 7.10 "Gutsy"

  8. activEx makes windows a risky platform for surfing

    Erik Funkenbusch wrote:

    > On Thu, 25 Oct 2007 15:13:41 +0100, Roy Schestowitz wrote:


    >> 'Innovating' ways of excluding competition from the Web (ActiveX).


    > This is such a red herring. None of these problems are related to ActiveX itself. It's flaws in the plug-ins ..


    Mozilla doesn't run ActiveX controls .. and in a link from the Reg
    article ..

    "ActiveX File Overwrite/Delete Vulnerabilities"

    "These vulnerabilities exist particularly because of a registered
    ActiveX control failing to restrict which domains may load the control
    for execution"

    "A user will not be required to authorize the object instantiation since
    the object is within a signed ActiveX control"


    "A typical exploitation scenario would require an attacker to convince a
    targeted user to visit a malicious Web site"

    http://www.symantec.com/enterprise/s...edelete_v.html

    --

    fuddie will now redefine the meaning of: control, restrict, authorize
    and run ...

  9. Re: [News] [Rival] ActiveX Makes Windows a Risky Platform for Surfing

    In article ,
    skydweller wrote:
    > I'm no expert, but AFAIK it's easier to gain control of a machine if the
    > vulnerable app is running with root (or admin, in that netherworld)
    > privileges than if the app is being run as a non-privileged user. I think
    > a poll is in order here:


    It depends on what you mean by "gain control of a machine". If you want
    to install something that has complete control of the machine, so that
    you could do things like wipe the hard disk, or install a root kit, or
    things like that, then yeah, you generally need to be running as root to
    do that.

    However, the goal of most malware nowadays is to use the machine for
    things like sending spam, or participating in DDOS attacks, and things
    like that. All the malware needs is to be able to get a network
    connection, which works fine as an ordinary user. No need for root.

+ Reply to Thread