[LINK] RFC No. 3: Controls over ActiveX Controls
Roger Clarke
Roger.Clarke at xamax.com.au
Mon Apr 2 17:59:35 AEST 2007
Here's one (more) situation I'm unclear about.
From http://www.felgall.com/brsie23.htm :
(1) ActiveX controls can be switched off by disabling five options, via:
Tools / Internet Options / Security / Internet / Custom Level
(2) ActiveX can be enabled for selected sites only, via:
Tools / Internet Options / Security / Trusted Sites / Sites...
As I understand it, unless the site is marked Trusted, the arrival of
any ActiveX control will generate a Security Alert pop-up, which the
user will have to accept, otherwise it won't run. [Whack me around
the ears very loudly if I'm already off the track!]
But if the user permits an ActiveX control to run (whether by okaying
the Security Alert, or having the site marked as Trusted), does the
ActiveX control run once-only, or can it install software onto the
device that can be later invoked from within the device without a
Security Alert?
In short, is there multi-layer onion-skin protection, or is it a
single-layer arrangement that only needs to be subverted once in
order to install a trojan?
--
Roger Clarke http://www.anu.edu.au/people/Roger.Clarke/
Xamax Consultancy Pty Ltd 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au http://www.xamax.com.au/
Visiting Professor in Info Science & Eng Australian National University
Visiting Professor in the eCommerce Program University of Hong Kong
Visiting Professor in the Cyberspace Law & Policy Centre Uni of NSW
More information about the Link
mailing list