TUCoPS :: Windows Apps :: bt528.txt

ActiveX controls with questionable security


Hi,

Software vendors continue to not understand ActiveX security issues.  I
found a number of ActiveX controls on my laptop which are marked "safe
for scripting", but they are clearly not.  These controls contain
methods which can be used from a Web page to do things like run
programs, download files from Web sites to the local hard drive, provide
file system access, etc.

Here are some of the questionable controls:

1. TgLib.System from www.support.com.  This control plus
   related controls ship preinstalled on Sony laptops.  
   These same controls are probably shipped with other
   brands of computers also.

2. IPWorks.TFTP from www.nsoftware.com.  I'm not even
   sure where this control came from.  It's a TFTP
   server or client of some sort.

3. FtpTree control from www.ftpvoyager.com.  The control
   is installed with the FTP Voyager software which is 
   FTP client for Windows.

I notified all three vendors many months ago and there are some fixes
available, but to be honest, I don't remember the details.

Some background on ActiveX security:

 http://www.computerbytesman.com/acctroj/hp.htm
 http://www.cert.org/reports/activeX_report.pdf
 
http://www.fawcette.com/archives/premier/mgznarch/vbpj/1997/04apr97/opin
ion.pdf

Every Windows computer I've owned since 1998 has come preinstalled with
ActiveX controls which were mismarked as "safe for scripting".  I don't
see this problem getting solved.  There doesn't seem to be any mechanism
for educating software vendors about ActiveX security.  The same
mistakes are being made over and over again.  Perhaps ActiveX security
is just too difficult.

Richard M. Smith
http://www.ComputerBytesMan.com








TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH