Dealing with ActiveX, other potentially dangerous embeds?

Discussion in 'Computer Security' started by Marty Ross, Aug 29, 2003.

  1. Marty Ross

    Marty Ross Guest

    Of those security-minded folks out there that *DO* choose to use MS/IE, how
    do you deal with ActiveX or other potentially dangerous embeds in internet
    media?

    Realizing that each time I choose to allow an ActiveX object to run, I'm
    giving it complete control to do whatever it wants to my entire system, I've
    recently become paranoid: how come there haven't been MAJOR viruses released
    via active X objects? Does anybody really "trust" the authenticode system?
    Does "certification" really deliver on it's promise (e.g., I don't know who
    a GREAT majority of these companies that have supposedly "promised this
    content is safe", so I feel it effectively doesn't make a difference whether
    objects are certificated or not -- "I push the buttons and I takes my
    chances!").

    For that matter -- do y'all place any more trust in Java (or other) objects
    embedded in web pages?

    It seems to me it's plain out mutually exclusive -- **EITHER** I:

    (1) allow myself to trust the universe (or spend a time investigating who I
    think I'm talking to for each individual web transaction), accept the real
    risks involved, and enjoy the fruits of sophisticated ActiveX/Java/whatever
    objects (such as streaming media, other interactivity, etc.)

    (2) restict myself totally from all "active" content -- especially the
    potentially more dangerous variety (such as ActiveX), yet remain a "hermit"
    with respect to participating in much of the neat stuff that's out there,
    much of it served up using these potentially dangerous technologies

    Does anyone share my view on "the state of the art" with regard to security
    from viruses and/or hijacking while using the internet, or is there some
    middleground where I can be safe *and* enjoy the latest-and-greatest at the
    same time?

    What sorts of disciplines do y'all follow to honor your own personal
    appetite/comfort level?

    - Security Newbie
     
    Marty Ross, Aug 29, 2003
    #1
    1. Advertising

  2. Marty Ross

    mto Guest

    "Marty Ross" <> wrote in message
    news:ScO3b.21743$...
    > Of those security-minded folks out there that *DO* choose to use MS/IE,

    how
    > do you deal with ActiveX or other potentially dangerous embeds in internet
    > media?


    The general consensus seems to be the same as dealing with ports - if you
    don't need it right this minute, shut it off.

    As far as using ActiveX I allow just one X-control - the one that has to be
    active to use Windows Update. And even then, ActiveX is turned off unless I
    am actively updating Windows.

    >Does anybody really "trust" the authenticode system?


    In a pig's eye. You might recall the incident a couple of years back when
    someone managed to make off with a couple of secure server certificates
    claiming to be Microsoft - but they weren't.

    > Does "certification" really deliver on it's promise (e.g., I don't know

    who
    > a GREAT majority of these companies that have supposedly "promised this
    > content is safe", <SNIP>


    Safe for whom? Safe how? - as in safe it won't break your machine or safe
    it won't violate your privacy/use your phone/etc.?

    > For that matter -- do y'all place any more trust in Java (or other)

    objects
    > embedded in web pages?


    Of the bunch of them, I trust Java more than any other. (I am a web
    developer BTW.) Note, however, that javascript in my opinion can be one of
    the most dangerous. Recently I've even seen malware distributed using an
    image tag :(

    Innocent till proven guilty may be the rule in court - but not when it comes
    to my machine. Trust NOTHING implicitly.

    > It seems to me it's plain out mutually exclusive -- **EITHER** I:
    >
    > (1) allow myself to trust the universe (or spend a time investigating who

    I
    > think I'm talking to for each individual web transaction), accept the real
    > risks involved, and enjoy the fruits of sophisticated

    ActiveX/Java/whatever
    > objects (such as streaming media, other interactivity, etc.)


    Too many nasties out there to trust - kind of like going to downtown Dodge
    on Saturday night without your six-shooter. Investigating websites? You
    will never get anything done - and God himself can't guarantee you that who
    they say they are is real.

    > (2) restict myself totally from all "active" content -- especially the
    > potentially more dangerous variety (such as ActiveX), yet remain a

    "hermit"
    > with respect to participating in much of the neat stuff that's out there,
    > much of it served up using these potentially dangerous technologies


    Nope, you don't have to withdraw completely - just be selective. Keep your
    security settings as high as possible and turn off absolutely everything
    unless you need it. (Zone Alarm Pro helps there because you can allow
    cookies/scripts/java on a site-by-site basis). When you come across
    something you want turn only what you need back on just long enough to
    indulge. Get AdAware and Spybot Search & Destroy and use them. Make sure
    that you have NO trusted sites.

    Alternatively buy a Mac. If I didn't have to replace thousands of dollars
    in programming to do so, you can bet your last dime I wouldn't be running
    Windows anything.
     
    mto, Aug 30, 2003
    #2
    1. Advertising

  3. Marty Ross wrote:
    > Of those security-minded folks out there that *DO* choose to use MS/IE, how
    > do you deal with ActiveX or other potentially dangerous embeds in internet
    > media?


    ActiveX is filtered out at the firewall proxy. Because of that I can't
    activate MS Reader on my PocketPC, so be it. I have acrobat reader on it.

    If I had it my way, javascript would all be filtered out as well.

    Groetjes
    John
     
    John Veldhuis, Sep 8, 2003
    #3
  4. Marty Ross

    mto Guest

    "John Veldhuis" <> wrote in message
    news:bjhk7a$j290m$-berlin.de...
    > Marty Ross wrote:
    > > Of those security-minded folks out there that *DO* choose to use MS/IE,

    how
    > > do you deal with ActiveX or other potentially dangerous embeds in

    internet
    > > media?

    >
    > ActiveX is filtered out at the firewall proxy. Because of that I can't
    > activate MS Reader on my PocketPC, so be it. I have acrobat reader on it.
    >
    > If I had it my way, javascript would all be filtered out as well.


    Easy enough. Turn off scripting under Tools/Options. Or install Zone Alarm
    PRO which will disrupt it on its way in the door from the source. Or both.
     
    mto, Sep 8, 2003
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?iso-8859-1?Q?Frisbee=AE_MCNGP?=

    Potentially Massive Internet Attack Starts Today

    =?iso-8859-1?Q?Frisbee=AE_MCNGP?=, Aug 22, 2003, in forum: MCSE
    Replies:
    14
    Views:
    817
    |{evin
    Aug 26, 2003
  2. slylittlei

    Potentially funny...

    slylittlei, May 25, 2004, in forum: Computer Support
    Replies:
    5
    Views:
    506
    Juan PĂ©rez
    May 26, 2004
  3. O.D.
    Replies:
    0
    Views:
    311
  4. ScottHW
    Replies:
    2
    Views:
    426
    Ron Baird
    Jun 30, 2004
  5. Replies:
    1
    Views:
    458
Loading...

Share This Page