Hi malware fighters,
More than a hundred security leaks in Active-X controls have been found up that are found standard on Windows eXPerience (Did you know that was what XP stood for, what an experience?)
They were found by Metaploit's researcher H.D. Moore. A dozen of these controls were so full of holes that a whole class of them had to be blacklisted right away.
What are the benefits of having the Active-X or JavaScript functionality and efficiency, when at the same time you inherit also all this insecurity and all the time it will cost for you to update and patch or circumvent all kind of possible problems.
To have full efficiency and functionality all patches and fixes are omited and one proceeds under the false assumption "Allthough I may be vulnerable, I am not a victim yet".
For instance JavaScript, originally developed for the Netscape browser.
1. JavaScripts can trick the user into uploading a file on his local hard disk or network mounted disk to an arbitrary machine on the Internet. Although the user must click a button in order to initiate the transfer, the button can easily masquerade as something innocent. Nor is there any indication that a file transfer has occurred before or after the event. This is a major security risk for systems that rely on a password file to control access, because a stolen password file can often be readily cracked.
2. JavaScripts can obtain directory listings of the user's local hard disk and any network mounted disks. This represents both an invasion of privacy and a security risk, since an understanding of a machine's organization is a great advantage for devising a way to break into it.
3. JavaScripts can monitor all pages the user visits during a session, capture the URLs, and transmit them to a host somewhere on the Internet. This hole requires a user interaction to complete the upload, but as in the first example the interaction can be disguised in an innocuous manner.
Nice these tools to make a website "monkey-proof", but is not it time for some decent server-side and client-side validation, a nobler task awaits firms like VeriSign rather than serving up client-profiles.
polonus