[LINK] RFC No. 3: Controls over ActiveX Controls

Roger Clarke Roger.Clarke at xamax.com.au
Mon Apr 2 17:59:35 AEST 2007


Here's one (more) situation I'm unclear about.

 From http://www.felgall.com/brsie23.htm :

(1)  ActiveX controls can be switched off by disabling five options, via:
Tools / Internet Options / Security / Internet / Custom Level

(2)  ActiveX can be enabled for selected sites only, via:
Tools / Internet Options / Security / Trusted Sites / Sites...

As I understand it, unless the site is marked Trusted, the arrival of 
any ActiveX control will generate a Security Alert pop-up, which the 
user will have to accept, otherwise it won't run.  [Whack me around 
the ears very loudly if I'm already off the track!]

But if the user permits an ActiveX control to run (whether by okaying 
the Security Alert, or having the site marked as Trusted), does the 
ActiveX control run once-only, or can it install software onto the 
device that can be later invoked from within the device without a 
Security Alert?

In short, is there multi-layer onion-skin protection, or is it a 
single-layer arrangement that only needs to be subverted once in 
order to install a trojan?

-- 
Roger Clarke                  http://www.anu.edu.au/people/Roger.Clarke/
			            
Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in Info Science & Eng  Australian National University
Visiting Professor in the eCommerce Program      University of Hong Kong
Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW



More information about the Link mailing list