Security bulletin number one
Simply
put, ActiveX is an omnibus term for interactive Microsoft technologies on the
Web. On the plus side, ActiveX allows Microsoft Office apps to communicate
across networks and in the Internet. On the downside, ActiveX allows flashy
advertising on Web sites. It's the latter that's worrisome, as criminal hackers
could use fancy ads on Web sites or referrals to maliciously coded Web sites to
download malformed HTML Help ActiveX Controls onto your unprotected PC, then
gain control of your machine.
flaws have been announcedflaws have been announced Criminal hackers could use flashy ads on Web sites to download malformed HTML Help ActiveX Controls onto your unprotected PC, then gain control of your machine. |
My favorite anti-pop-up app, PopUpCop, includes XGuard, a nifty feature that blocks ActiveX downloads onto your computer. I like the granularity within PopUpCop because I can allow ActiveX on certain sites and block it on all others.
You can also go into Internet Explorer's tools and change the ActiveX setting from Enable to Prompt. The downside of this change is that on every Web page you visit, you will see a dialog box asking if you want to allow ActiveX Controls before IE downloads them. If you say no to the wrong control, you may also lose some functionality on that Web page. As an alternative, Microsoft, in its detailed summary of the security bulletin, offers other workarounds, including running the HTML Help ActiveX Control within the local security zone within Internet Explorer (for a detailed explanation of what that means, see MS05-001).
Bulletins two and three
The other
critical flaw patched by Microsoft last Tuesday also involves Internet
Explorer--all versions. Should you surf to a page containing a maliciously
formed cursor or icon, you may find yourself controlled by a remote cracker. MS05-002
is rated critical, in part, because there are already working exploits out on
the Internet. Once an exploit is available, it is often only a matter of time
before someone finds a way to create a virus or a worm from it. Trend Micro has
an independent
security assessment of this vulnerability.
flaws have been announcedflaws have been announced The other critical flaw patched by Microsoft last Tuesday also involves Internet Explorer. |
Firefox to the rescue?
Mozilla Firefox
has been designed to run without ActiveX. But in all fairness, now that people
are rushing to install Firefox, more and more flaws
have been announced. Still, the flaws discovered in Firefox pale against
those that exist in Internet Explorer. For one thing, given that there are
exploits for at least one of these new vulnerabilities, we know that criminal
hackers are interested in attacking IE. When there's a worm spreading
exclusively via Firefox, I'll let you know.
http://reviews.cnet.com/4520-3513_7-5621335-1.html?tag=cnetf d.ld
comment:
p_commentcount