With the caveat of Active-X having Authenticode. Digitally signed binaries,
sure no granular access control like the original Java applet sandbox but
its pretty similar to J2 Applets these days in fact!

What I was actually interested in is if someone knows the "guts" of a
browser and can tell me how a plug-in gets installed under say IE. I am
assuming that all browsers (except LIBWWW !) have a model where they check
and ask a user if they want to install a plug-in? I see no settings for
plug-ins at all under IE6.

I got caught out the other day by Active-x. I never allow flash to run,
spent a cross Atlantic flight last year figuring out how to do some really
nasty programming with it. However I went to a site and got directed to the
flash enabled site. I had granted code signed by Macromedia to run and seems
they now have Flash as a plug-in. Not the only case. Go to the Microsoft
Security site and you will see the Microsoft Personal Security Advisor.
http://www.microsoft.com/technet/mpsa/start.asp Its clearly written by
Shavlik technologies all over the page. Who are they ? I have no idea and I
don't trust them! I do trust MS as I run Win2k on my laptop (prompting to
install new binaries when they replace the kernel with an SP would be
foolish so I thought). I was shocked to see the Shivlak control ran with no
prompts. On investigation MS have signed their code! For the technicians
there is absolutely nothing wrong with this whatsoever. It all works as
described and conforms to the model. But kinda tricked me into running
someone else's technology that I didn't trust.

So back to the plug-ins....If the flash plug-in / active-x runs signed,
there is no way under that security model to check the validity of the code
its running ? I.e. plug-in signed by Macromedia and the swf file runs
written by Jow Hacker!

-----Original Message-----
From: ckrib.de [mailto:ckrib.de]
Sent: Wednesday, October 24, 2001 2:22 AM
To: markcurphey.com
Cc: Bill Pennington; Dennis Groves; Jeremiah Grossman; Mark Curphey;
Mark Curphey; webappsecsecurityfocus.com
Subject: Antwort: Re: Slash, Jetspeed...

Under Windows, Plug-ins and Active X Controls are ordinary executables and
thus have full access to the operating system. No sandbox whatsoever.

Carsten Kuckuk

                    "Mark
                    Curphey" An: Jeremiah Grossman
<jeremiahwhitehatsec.com>
                    <mcurpheyone Kopie: Bill Pennington
<billpboarder.org>, Dennis Groves
                    box.com> <dwgmac.com>, Mark Curphey
<markcurphey.com>, Mark Curphey
                                         <mcurpheyonebox.com>,
webappsecsecurityfocus.com
                    23.10.2001 Thema: Re: Slash, Jetspeed...
                    20:58
                    Bitte
                    antworten an
                    mark

I have never seen any good documentation about plug-ins and exactly what
they can and cant do.....flash is now an active-x control isnt it ?

---- Jeremiah Grossman <jeremiahwhitehatsec.com> wrote:
> There are some cool things to be done with the mailto: protocol.
>
> One interesting thing I just stumbled accross was a mailto:
> embedded in a Flash File. For some reason my netscape
> browser when I click on a Flash Link that has a mailto:
> attached, it send an auto email to the destination... no warning
> at all. no other specifics yet on this...
>
> But if we are talking just IE or Netscape in HTML... there
> have been mailto: browser bugs have sent silent HTML.
> Most of the time you get warned now before sending an email
> prompted by HTML.
>
>
>
>
> Bill Pennington wrote:
>
> > So what about the mailto: URL in IE? Is there a way you could construct
> a
> > mailto: URL that would silently send mail to an account and attach
> a file?
>
>

__________________________________________________
FREE voicemail, email, and fax...all in one place.
Sign Up Now! http://www.onebox.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]