FYI. I actually think that a year plus is needed to list all of the security and DoS bugs in ActiveX controls. A few days ago, I reported a crash bug to the Microsoft security folks in their newly release Silverlight ActiveX control (See http://www.microsoft.com/silverlight/install.aspx). I'm not sure if the bug is exploitable or not. Delivering a secure/DoS-free ActiveX control wirtten in C/C++ on the first try appears to be an impossible task..... Richard _____
Web site: http://moaxb.blogspot.com/ http://www.securityfocus.com/brief/495 Another Month of Bugs -- this time, ActiveX Published: 2007-05-03 Anyone wishing that the Month of Bugs phenomenon would fade away will be disappointed in May. A lone researcher has apparently compiled enough flaws in various ActiveX controls to release a bug <http://moaxb.blogspot.com/> every day for the month of May. Dubbing the effort the Month of ActiveX Bugs (MoAxB), the hacker -- who only identified himself by the name "shinnai" -- wrote, in broken English, that the effort was an attempt to educate people on the risks of ActiveX controls. "Most of them are simple DoS (denial-of-service vulnerabilities) -- don't worry there are also some code execution -- but that's because MoAxB has only a sense: to inform developers about the risk of using ActiveX controls," the researcher wrote <http://moaxb.blogspot.com/2007/04/month-of-activex-bug-announced.html> . ...
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
