[H-GEN] [fwd] RIP: ActiveX controls in Internet Explorer?

Sat Aug 30 21:59:32 EDT 2003

[ Humbug *General* list - semi-serious discussions about Humbug and     ]
[ Unix-related topics. Posts from non-subscribed addresses will vanish. ]

On Sat, 30 Aug 2003, Tony Nugent wrote:

> From:    "Richard M. Smith" <rms at computerbytesman.com>

scary.

> As everyone knows, ActiveX controls and the <OBJECT> tag has been a
> big source of security holes in Internet Explorer.  However, it looks
> like support for ActiveX controls is going to be removed from Internet
> Explorer.  A small company called Eolas recently won a $521 million
> judgment against Microsoft for patent infringement.  The Eolas patent
> covers plugins in Web pages to show multimedia content.

It's such a shame, I'm honestly of the opinion that executable content
really could have made the Internet a (more) exciting place.  For example,
take a look at McAfee's FreeScan service:

	http://us.mcafee.com/root/mfs/scan.asp

It uses an ActiveX plugin to provide the 'scan only' support that used to
be available as a free download.  At first I considered this pretty stupid
(I have to be connected to the Internet to scan my harddrive?) but if you
keep in mind that this is proprietory software, it kinda makes sense.
McAfee wants potential customers to come to their web site.  They can do
that by providing a free service.  Unlike the downloadable predecessor,
viruses discovered with FreeScan are displayed with a link to the virus
description, so you can how at risk you are.  I'm sure it all leads to
greater sales of their product, and they do it without demanding that the
software be bought before you even know whether it will be of use to you.
For those of you who are still skeptical about McAfee's evilness (I know I
am) they actually provide "manual cleaning instructions" on the virus
description pages, if possible.  That really doesn't sound like a company
that is demanding payment for something you don't need.  It sounds like
the FreeScan service was thought out as being something good for the
customer, as well as McAfee.

>From the security perspective, Microsoft has once again given a good idea
a bad name.  Ask just about anyone and they'll tell you that Java web
content is more secure than ActiveX.. and they're right.  But that doesn't
mean that you must have a virtual machine (and all that other baggage) to
sandbox arbitary code.  There's plenty of research out there to enforce
security models on arbitary untrusted native code, Microsoft simply chose
to ignore it, like they always do, and went with the authoritarian code
signing technique which, let's face it, absolutely no-one goes through the
process to use.

As a final comment, I'm sure the reason why Microsoft is dropping ActiveX
(if they are) is because they want to migrate people onto .NET, moreso
than any patent problems.

Trent

--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.  See http://www.humbug.org.au/