On 27 Nov 2001 05:26:40 GMT, DeMoN LaG <n@a> wrote: >[EMAIL PROTECTED] (Chris Hill) wrote in >[EMAIL PROTECTED]">news:[EMAIL PROTECTED], on 27 Nov 2001: >>>They are as secure as fort knox compared to Active X >>> >> >> Please explain > >I've never seen a malicious Netscape plugin (even when Netscape had 80%+ >marketshare). I've seen dozens of malicious active X scripts. IE in >general is too insecure and gives out too much information about my >system. For instance, BrowserSpy: http://www.gemal.dk/browserspy/
The lack of malicious Netscape plugins is probably due to the limted use and limited features of a mechanism to install a plugin easily without restarting the browser (historically -- I think this has since been addressed). Another factor is that there are fewer Netscape plugins than ActiveX controls. This means fewer chances of a poorly writen plugin that permits access. The policies of IE do not mean that ActiveX model is less secure than the plugin model. Also, there are probably many badly written ActiveX controls (some already installed on a user's system) that allow far more access to the system than should be possible. This means that by default, all ActiveX controls on the system should be blacklisted unless the user grants permission (with an extreme warning). If the list of ActiveX controls available to a theoretical implementation resembled the list of plugins available to the typical Netscape installation (Flash, Acrobat, QuickTime), I think there would be far less cause for concern. >I don't think any web site needs to know anything about my Direct X >version. This should not be made available through my browser. I don't >think anything involving the MS AFC should be available via my browser. I agree, unless of course the web site is using DirectX via an ActiveX control (or plugin). If the code is native (like a plugin) it can do anything that a program on your computer can. Once it is running, it has full control. >Component information: I don't like how it's possible to see what >version of the help engine I have installed, or what version of Media >player is available. A new exploit was just found involving media >player, and this lets people target me for attack. I agree. However, if a Netscape plugin exposed version information via scripting interfaces the same issue would exist. >Java and Netscape's plugins don't get access to the rest of the system, >in general. I remember Heat.net's plugin installer was a Java applet, >before it could do anything I was prompted a huge security alert saying >"Install software on machine - HIGH RISK". I don't get that secure >feeling with IE. IE is just too leaky for my tastes Netscape plugins DO get access to the entire system once installed. Java applets get restricted access to the system (unless the applet is signed and the user grants permission). You are talking about IE, not ActiveX. Chris Hill [EMAIL PROTECTED]
