[News] Microsoft ActiveX Controls Strike Again, Dumping Recommended - Linux

This is a discussion on [News] Microsoft ActiveX Controls Strike Again, Dumping Recommended - Linux ; New Attack Kit Targets Bag of ActiveX Bugs ,----[ Quote ] | Bugs in ActiveX, a Microsoft technology used most often to create add-ons for | the company's Internet Explorer (IE) browser, have always been common, but so | many ...

+ Reply to Thread
Results 1 to 13 of 13

Thread: [News] Microsoft ActiveX Controls Strike Again, Dumping Recommended

  1. [News] Microsoft ActiveX Controls Strike Again, Dumping Recommended

    New Attack Kit Targets Bag of ActiveX Bugs

    ,----[ Quote ]
    | Bugs in ActiveX, a Microsoft technology used most often to create add-ons for
    | the company's Internet Explorer (IE) browser, have always been common, but so
    | many serious flaws have been disclosed of late that some security experts
    | have recommended users do without them.
    `----

    http://www.pcworld.com/article/id,14...1/article.html

    But Miguel loves ActiveX. He said so.

    "We should dedicate a cross-group team to come up with ways to leverage Windows
    technically more."

    * * * * * * * * * * * * * * * * * * * * * *--Jim Allchin, Vista escapee


    Related and recent:

    Be prepared: ActiveX attacks will persist

    ,----[ Quote ]
    | A recent string of high-profile ActiveX vulnerabilities caused the U.S.
    | Computer Emergency Readiness Team (US-CERT) to advise users to disable the
    | ubiquitous Microsoft browser plug-in technology altogether.
    `----

    http://www.infoworld.com/article/08/...-horror_1.html


    Will Microsoft Change How ActiveX Runs in IE 8?

    ,----[ Quote ]
    | Some security experts, like Will Dormann, a vulnerability analyst at the
    | Carnegie Mellon Software Engineering Institute CERT/CC, are calling for
    | ActiveX to be disabled from running by default in IE 8.
    |
    | Dormann is telling IE users that they should, from a security perspective,
    | disable ActiveX controls from running by default. "It would be nice if this
    | is something Microsoft did with the next version of the browser," he said.
    `----

    http://www.eweek.com/c/a/Security/Wi...-Runs-in-IE-8/


    Older:

    Rogue ActiveX controls menace users

    ,----[ Quote ]
    | *Flaws in ActiveX controls are being increasingly used to run security
    | *exploits.
    |
    | [...]
    |
    | An attack exploiting this vulnerability can lead to arbitrary code execution
    | by a remote attacker," a blog posting by Symantec researcher Parveen
    | Vashishtha warns. *
    `----

    http://www.theregister.co.uk/2007/10/24/activex_vulns/


    RealPlayer Attack Circulating

    ,----[ Quote ]
    | The attack exploits a flaw in an ActiveX browser helper object, software that
    | RealPlayer employs to help users who are experiencing technical difficulties,
    | so the PC must be using the Internet Explorer browser to be affected by this
    | particular attack, Symantec said. *
    `----

    http://news.yahoo.com/s/pcworld/2007...pcworld/138706


    Yahoo! battered by second ActiveX vulnerability

    ,----[ Quote ]
    | The vulnerabilities affect versions of Yahoo! Messenger 8.x prior to version
    | 8.1.0.419, released late last week. Users are urged to upgrade.
    `----

    http://www.theregister.co.uk/2007/09..._activex_vuln/


    Way Too ActiveX

    ,----[ Quote ]
    | Today, over at Symantec's Security Response Weblog, Greg Ahmad
    | reveals startling--and I do mean shocking--increases in ActiveX
    | vulnerabilities. According to Symantec, ActiveX vulnerabilities
    | stayed in the 12- to- 15-a-year range from 2002 to 2005. For
    | 2006, the number of vulnerabilities "reached 50," with 42 in
    | the second half of the year--coincidentally, the same time
    | period Microsoft finished up and released Internet Explorer 7.
    `----

    http://www.microsoft-watch.com/conte...129TX1K0000535
    http://tinyurl.com/33cfno


    Acer puts Active X hole on laptops

    ,----[ Quote ]
    | Laptop outfit Acer seems to have placed an Active X control on its
    | computers that seems to allow webpages to execute any program.
    |
    | This huge hole in network security has been installed on board Acer
    | lap-tops since 1998.
    `----

    http://www.theinquirer.net/default.aspx?article=36773


    Adobe Confirms 'Critical' Reader, Acrobat Exploits With IE

    ,----[ Quote ]
    | A critical security vulnerability in an ActiveX control used by
    | Internet Explorer could allow malicious hackers to use Adobe's
    | Reader and Acrobat software to launch PC hijack attacks,
    | according to a warning from Adobe Systems.
    `----

    http://www.pcmag.com/article2/0,1895,2066079,00.asp


    Month of ActiveX bugs project begins with two Office flaws

    ,----[ Quote ]
    | A hacker known as shinnai kicked off his "Month of ActiveX Bugs"
    | (MoAxB) project with a bang by exposing a number of severe
    | vulnerabilities affecting OCX controls in Microsoft Office.
    `----

    http://scmagazine.com/us/news/articl...-office-flaws/

  2. Re: [News] Microsoft ActiveX Controls Strike Again, Dumping Recommended

    * Roy Schestowitz peremptorily fired off this memo:

    > New Attack Kit Targets Bag of ActiveX Bugs
    >
    > ,----[ Quote ]
    >| Bugs in ActiveX, a Microsoft technology used most often to create add-ons for
    >| the company's Internet Explorer (IE) browser, have always been common, but so
    >| many serious flaws have been disclosed of late that some security experts
    >| have recommended users do without them.
    > `----
    >
    > http://www.pcworld.com/article/id,14...1/article.html
    >
    > Be prepared: ActiveX attacks will persist
    > Will Microsoft Change How ActiveX Runs in IE 8?
    > Rogue ActiveX controls menace users
    > RealPlayer (ActiveX) Attack Circulating
    > Yahoo! battered by second ActiveX vulnerability
    > Way Too ActiveX
    > Acer puts Active X hole on laptops
    > Adobe Confirms 'Critical' Reader, Acrobat Exploits With IE
    > Month of ActiveX bugs project begins with two Office flaws


    Ironically, our company is pushing to digitally sign all emails (because
    of the frequency of spoofing), and you have to use ActiveX in order to
    get the certificate.

    Funny as a crutch.

    I had a player miss three soccer games because I didn't realize that
    her company was filtering out my team emails as spam.

    And yet we have idiots claiming that Microsoft has only a beneficent
    effect on IT. Microsoft is a cancer.

    --
    Like almost everyone who uses e-mail, I receive a ton of spam every day. Much
    of it offers to help me get out of debt or get rich quick. It would be funny if
    it weren't so irritating.
    -- Bill Gates, "Why I Hate Spam" in Microsoft PressPass (2003)

  3. Re: [News] Microsoft ActiveX Controls Strike Again, Dumping Recommended

    On Tue, 08 Apr 2008 04:24:05 +0100, Roy Schestowitz wrote:

    > New Attack Kit Targets Bag of ActiveX Bugs
    >
    > ,----[ Quote ]
    >| Bugs in ActiveX, a Microsoft technology used most often to create add-ons for
    >| the company's Internet Explorer (IE) browser, have always been common, but so
    >| many serious flaws have been disclosed of late that some security experts
    >| have recommended users do without them.
    > `----
    >
    > http://www.pcworld.com/article/id,14...1/article.html


    This is complete bull****.

    The flaws are in valid plug-ins. These plug-ins would exist no matter what
    plug-in technology was used. The vulnerabilities are not in ActiveX
    itself, but the controls that use ActiveX.

    If ActiveX didn't exist, the makers of these controls would simply use
    Netscape plug-in API's, or whatever plug-in API was available.

    This reporter needs to learn a little bit more about what he's reporting
    on.

  4. Re: [News] Microsoft ActiveX Controls Strike Again, Dumping Recommended

    * Erik Funkenbusch peremptorily fired off this memo:

    >> New Attack Kit Targets Bag of ActiveX Bugs
    >>
    >> http://www.pcworld.com/article/id,14...1/article.html

    >
    > This is complete bull****.


    Speaking of ActiveX, I finally brought up the virtual billy box so's I
    could use Internut Exploder to get those goddam certificates they now
    require us to have, so that the rest of the corporate morons can ignore
    the "unsigned" flags and continue to clear on "spear-phishing" links
    .

    I then exported the certs using Outhouse Express, and then imported them
    into Evolution.

    Evolution is almost as bad as Outbreak, but still a little more
    convenient than webmail, though it uses the same link as webmail.

    I haven't been able to find OWA for fetchmail, so's I could use a real
    emailer (mutt).

    Too bad corporate IT won't support IMAP, SMTP, and POP3.

    --
    Your most unhappy customers are your greatest source of learning.
    -- Bill Gates, Business @ The Speed of Thought (1999)

  5. Re: [News] Microsoft ActiveX Controls Strike Again, Dumping Recommended

    * Linonut peremptorily fired off this memo:

    > Speaking of ActiveX, I finally brought up the virtual billy box so's I
    > could use Internut Exploder to get those goddam certificates they now
    > require us to have, so that the rest of the corporate morons can ignore
    > the "unsigned" flags and continue to clear on "spear-phishing" links

    ^^^^^^^ click
    --
    Life is not divided into semesters. You don't get summers off and very few
    employers are interested in helping you find yourself.
    -- Bill Gates

  6. the logic of FudingTROLL strikes again ..

    On 9 Apr, 00:16, Erik Funkenbusch wrote:

    > The vulnerabilities are not in ActiveX itself, but the controls that use ActiveX.


    zzzztttt, ZZZTTT, my mind is going, I can feel it Dave, I mean
    'retard' ...

  7. Re:danger fudingLOGIC at work ..

    On 9 Apr, 00:16, Erik Funkenbusch wrote:

    > The vulnerabilities are not in ActiveX itself, but the controls that use ActiveX.


    "A remote code execution vulnerability exists in the ActiveX control
    hxvz.dll .. the vulnerability could allow remote code execution"

    http://www.microsoft.com/technet/sec.../MS08-023.mspx

    --

    the flaws are not in the bridge itself, but in the girders that hold
    up the bridge ..


  8. Re: danger fudingLOGIC at work ..

    On Sat, 19 Apr 2008 10:12:21 -0700 (PDT), Doug Mentohl wrote:

    > On 9 Apr, 00:16, Erik Funkenbusch wrote:
    >
    >> The vulnerabilities are not in ActiveX itself, but the controls that use ActiveX.

    >
    > "A remote code execution vulnerability exists in the ActiveX control
    > hxvz.dll .. the vulnerability could allow remote code execution"
    >
    > http://www.microsoft.com/technet/sec.../MS08-023.mspx


    Note the phrase "In the ActiveX *CONTROL*, which is precisely what I said.

    Duh! Duh!g.

  9. Re: danger fudingLOGIC at work ..

    On 20 Apr, 01:23, Erik Funkenbusch wrote:

    > On Sat, 19 Apr 2008 10:12:21 -0700 (PDT), Doug Mentohl wrote:


    >>> The vulnerabilities are not in ActiveX itself, but the controls that use ActiveX.


    > Note the phrase "In the ActiveX *CONTROL*, which is precisely what I said.


    This is absolutly hilarious, fuddie said , but
    now sees <"In the ActiveX *CONTROL*>, which is precicly not what he
    said. It's form of aphasia, he can, on the fly, rewire his visual
    cortex to see exactly what he wants to see. He can also do this to his
    cognitive facilities, so from now on, an activeX control isn't and
    never was part of activeX.
    ------

    Show how an activeX control isn't a part of activeX, isn't hxvz.dll
    one of the main components in MS Help engine? If it isn't, what's it
    doing in C:\Program Files\Common Files\Microsoft Shared\Help\ ... ???
    -------

    Symtoms of Aphasia: strings together nonsense words and real words
    fluently but makes no sense ..

  10. Re: danger fudingLOGIC at work ..

    On Sun, 20 Apr 2008 06:05:05 -0700 (PDT), Doug Mentohl wrote:

    > On 20 Apr, 01:23, Erik Funkenbusch wrote:
    >
    >> On Sat, 19 Apr 2008 10:12:21 -0700 (PDT), Doug Mentohl wrote:

    >
    >>>> The vulnerabilities are not in ActiveX itself, but the controls that use ActiveX.

    >
    >> Note the phrase "In the ActiveX *CONTROL*, which is precisely what I said.

    >
    > This is absolutly hilarious, fuddie said , but
    > now sees <"In the ActiveX *CONTROL*>, which is precicly not what he
    > said. It's form of aphasia, he can, on the fly, rewire his visual
    > cortex to see exactly what he wants to see. He can also do this to his
    > cognitive facilities, so from now on, an activeX control isn't and
    > never was part of activeX.


    No, you're a moron. If you knew anything about what you were discussion,
    you would know that ActiveX is a *technology*, not a product. In
    particular, it's a protocol. There's some code associated with it in the
    OS, (notably QueryInterface, CoInitialize, etc..), but not much.

    Using your logic, A flaw in a Firefox plug-in is a flaw in firefox. Or a
    flaw in a third party Linux loadable library is a flaw in the Linux kernel
    or maybe a flaw in a web site is a flaw in TCP/IP.

    An ActiveX control is plug-in that uses ActiveX as its interface. THe flaw
    was not in the interface, it was in the code of the control.

    How is it you can repeatedly prove, *EVERY SINGLE TIME* how big of an idiot
    you are? And each time you succeed in making yourself and even bigger
    idiot.

    > Show how an activeX control isn't a part of activeX, isn't hxvz.dll
    > one of the main components in MS Help engine?


    Yes, it is.

    > If it isn't, what's it
    > doing in C:\Program Files\Common Files\Microsoft Shared\Help\ ... ???


    What does that have to do with anything?

    It's a flaw in the help system, not ActiveX.

  11. Re: danger fudingLOGIC at work ..

    On Sun, 20 Apr 2008 14:01:22 -0500, Erik Funkenbusch wrote:

    > On Sun, 20 Apr 2008 06:05:05 -0700 (PDT), Doug Mentohl wrote:
    >


    > How is it you can repeatedly prove, *EVERY SINGLE TIME* how big of an idiot
    > you are? And each time you succeed in making yourself and even bigger
    > idiot.


    At least he is consistent!
    Consistently wrong that is!

    Doug Mentohl is obviously mentally retarded and or has some kind of brain
    damage because nobody of normal intelligence could be *that* ignorant.

    The best we can hope for is that he takes his meds.




    --
    Moshe Goldfarb
    Collector of soaps from around the globe.
    Please visit The Hall of Linux Idiots:
    http://linuxidiots.blogspot.com/

  12. Re: danger fudingLOGIC at work ..

    On 20 Apr, 20:01, Erik Funkenbusch wrote:

    > It's a flaw in the help system, not ActiveX.


    Explain how a Microsoft activeX control isn't a part of activeX ...
    --

    "Microsoft 'hxvz.dll' ActiveX Control Memory Corruption Vulnerability"

    http://www.securityfocus.com/bid/28606

    "This issue is caused by a memory corruption error in the "hxvz.dll"
    ActiveX control"

    http://www.frsirt.com/english/advisories/2008/1147

  13. Re: danger fudingLOGIC at work ..

    On Mon, 21 Apr 2008 06:47:12 -0700 (PDT), Doug Mentohl wrote:

    > On 20 Apr, 20:01, Erik Funkenbusch wrote:
    >
    >> It's a flaw in the help system, not ActiveX.

    >
    > Explain how a Microsoft activeX control isn't a part of activeX ...


    Duh!g Moron, I did in the post you are quoting. Now you're being dishonest
    and not just stupid.

+ Reply to Thread