[thelist] ActiveX Security

John Dowdell jdowdell at macromedia.com
Thu May 10 14:07:27 CDT 2001


At 1:27 AM 5/10/1, George Dillon wrote:
>> How do I check which ActiveX Controls are already
>> installed and where they're from/what they do?
>> Is there some Freeware app which can do this?
>
> But answer came there none.

Sorry, I saw your thread on my way out, but don't have a list of such
utilities nailed, and so deferred to someone else's recommendation or a web
search.


> After breaking my policy of saying no to all web-based ActiveX
> (and thus NO to all FLASH), I was thrilled to discover that my
> system FAILED 3 out of 18 tests for dangerous ActiveX controls...
> The 3 controls on my system identified as dangerous in the tests
> are precisely the kind that John Dowdell suggested we should
> trust implicitly....

Hmm, if you're saying that a given utility identified three components in a
stock installation as being "a risk", then I guess that means that that
utility considers a stock installation of some OS as risky.

(My main point was that, if you use a popular configuration, then you have
the same risk level as others, and because this is a big fat target then
bad people will likely have tried to exploit weaknesses there already.
Doesn't mean there can't be new and undiscovered weaknesses, only that
being part of the pack tends to be safer than installing unusual ActiveX
Controls into a system.)



> In conclusion, my suspicion remains that since the operation of Flash
> is reliant on ActiveX (a M$ issue) it is simply not safe.

Hmm, seems like a leap there... how do you get from "some may judge some
ActiveX Controls to have some risk" to "the Macromedia Flash Player in
ActiveX form is not safe"?

If you'd like to avoid ActiveX Controls in general, then using a browser
other than IE/Win is one easy path.


(For Erik, yes, IE/Win can use Netscape Plugins, but last I checked only
IE5/Mac has a navigator.plugins array for JS detection, and IE/Win will
still react to the OBJECT tag in web pages anyway.)

jd








John Dowdell, Macromedia Tech Support, San Francisco CA US
Search technotes: http://www.macromedia.com/support/search/
Offlist email risks capture by the spam filters. I may not see your
email if it's not on the list. Private one-on-one email options are
available via Priority Access: http://www.macromedia.com/support/






More information about the thelist mailing list