Content deleted Content added
If you're going to talk about ActiveX being insecure because of bugs, then we must also mention that Mozilla's approach is also flawed because we have seen similar possibility of exploitation |
|||
Line 80:
Over the years, numerous attacks were targeted toward Internet Explorer. The embedding of COM into the Internet Explorer created a combination of functions that provides a gateway for explosion of [[computer virus]], [[Trojan horse (computing)|trojan]] and [[spyware]] infections. These [[malware]] attacks mostly depend on ActiveX for their activation and propagation to other computers. Microsoft has recognized the problem with ActiveX since 1996 when Charles Fitzgerald, program manager of Microsoft's Java team [http://www.javaworld.com/javaworld/jw-03-1997/jw-03-component.web97.html said], ''"If you want security on the 'Net', unplug your computer. … We never made the claim up front that ActiveX is intrinsically secure."''.
One of the main problems in Internet Explorer's security measure is the total reliance on human judgment. Also, ActiveX security relies solely on security zones and digital signing, which was utilized by malware multiple times. One of the common techniques is to mark malicious pages incorrectly under trusted zone by exploiting the browser's bugs. In the [[sandbox (security)|sandbox security model]] used by other browsers, there are no trusted zones as every pages that come from websites (and even local file system) are run with very limited privileges. In practice, digital signing is rarely used as the digital signing process is technical and expensive. Despite this criticism, major competitors also also utilise digital signing in their security mechanism, and recent exploitation has shown that both the [[sandbox (security)|sandbox security model]] and [[same origin policy]] are fallible. [http://secunia.com/advisories/15292/]
The forth-coming [[Microsoft AntiSpyware]], which is currently in beta, monitors BHOs in Internet Explorer on Windows 2000, XP and Server 2003, and will warn the user before a new BHO is installed.
| |||