RE: [funsec] ActiveX strikes yet again -- This time its Intuit

Fri, 07 Sep 2007 05:17:32 -0700 

Let's also get rid of HTML, images, and CSS on Web pages.  These features
also are security risks.  I think that plain ASCII text can be made safe.
;-)

Richard 

-----Original Message-----
From: Paul Ferguson [mailto:[EMAIL PROTECTED] 
Sent: Friday, September 07, 2007 1:13 AM
To: [EMAIL PROTECTED]
Cc: [email protected]; [EMAIL PROTECTED]
Subject: Re: [funsec] ActiveX strikes yet again -- This time its Intuit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Active content is evil. Period.

Along those same lines is this:

"NIST Issues New Computer Security Guidelines for Active Content"
http://www.gcn.com/online/vol1_no1/44972-1.html

My favorite quote:

"Incorporating active content such as Java applets, JavaScript and other
scripts, and macros can add to the functionality of documents, e-mails, Web
pages and files in a wide variety of formats, but NIST calls their security
vulnerabilities 'insidious'."

Insidious indeed.

- - ferg




- -- Juha-Matti Laurio <[EMAIL PROTECTED]> wrote:

And probably not the last vendor - reported by this US-CERT team member:
http://secunia.com/search/?search=Will+Dormann+activex&sort_by=date

- - Juha-Matti

[EMAIL PROTECTED] wrote: 
>
>Seesh.  Another big software vendor places a backdoor on their 
>customers computers that the bad guys can use also.
>
>
>Richard
>
>
>http://www.kb.cert.org/vuls/id/979638
>
>
>Intuit QuickBooks Online Edition is a version of QuickBooks that is 
>implemented as an ActiveX control. This ActiveX control contains 
>several dangerous methods, such as httpGETToFile() and 
>httpPOSTFromFile(). These methods can be used to download or upload files
in arbitrary locations.

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.3 (Build 3017)

wj8DBQFG4N3Hq1pz9mNUZTMRAq0RAJ9EEjEvQsT5sGs0oHjnchlZSePwKgCeIwKi
QjcTdANzkWJV+99GdyzqzmY=
=fEk0
-----END PGP SIGNATURE-----





_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Reply via email to