[thelist] ActiveX & Flash (in)Security

George Dillon evolt at georgedillon.com
Thu May 10 03:30:08 CDT 2001


On Wednesday, May 09, 2001 9:10 AM I frivolously asked:

> How do I check which ActiveX Controls are already
> installed and where they're from/what they do?
> Is there some Freeware app which can do this?

But answer came there none.

So I searched around and found several pointers to this:

ActiveX security check page (by Richard M Smith)
http://users.rcn.com/rms2000/acctroj/axcheck.htm

After breaking my policy of saying no to all web-based ActiveX (and thus NO
to all FLASH), I was thrilled to discover that my system FAILED 3 out of 18
tests for dangerous ActiveX controls.  And I consider myself highly security
conscious (read paranoid).

Have I been a bad/foolish boy downloading lots of dodgy freebies?  No not at
all.  The 3 controls on my system identified as dangerous in the tests are
precisely the kind that John Dowdell suggested we should trust implicitly
when he wrote:

> check which ActiveX Controls are already installed
> assume that the default collection with your OS is safe
> Summary: Well-distributed plugins and controls need to restrict
> security breaches, or they won't be well-distributed anymore

I would guess that ANYONE on this list running Internet Explorer in Windows
98 is going to fail these ActiveX tests in the same way.  Go and try for
yourselves.

While you're there, step back a level to:

Accidental Trojan Horses: Security problems in Windows 98 PCs
http://users.rcn.com/rms2000/acctroj/index.htm

And try some of the other security tests.  Again I was really pleased (not)
to find my system failing a few.

In conclusion, my suspicion remains that since the operation of Flash is
reliant on ActiveX (a M$ issue) it is simply not safe.

HTH

George Dillon







More information about the thelist mailing list