Bugtraq mailing list archives
Re: RIP: ActiveX controls in Internet Explorer?
From: Igor Filippov <igor () osc edu>
Date: Tue, 2 Sep 2003 13:02:39 -0400 (EDT)
It seems the patent in question covers not only client-side executables, but server-side as well: "Once selected the program object executes on the user's (client) computer or may execute on a remote server or additional remote computers" So, not only javascript/flash/java are subjects of this copyright but any CGI/whatnot application as well - or am I reading it wrong ? Igor On Mon, 1 Sep 2003, Simon Brady wrote:
On Sat, 30 Aug 2003, Alun Jones wrote:The descriptions I've heard of this suggest that this patent could be applied equally to prevent (or grab payment from implementors of) Javascript, Java, Flash, etc. I'm with you on the security issues with ActiveX (and Javascript) - I disable ActiveX on the principle that it has no security consideration, and Javascript on the basis that it's been frequently implemented in a vulnerable manner. But this is a considerably further-reaching patent than merely killing off ActiveX. Before we sing "ding dong the witch is dead", let's have some concern for the peaceful Wiccans that might be next on the chopping block.Java and Flash aren't exactly free of security issues either. In fact, I would go further and argue that the whole notion of a controlled client-side runtime environment for remote code has been an unmitigated disaster for the web (and this is solely from a security perspective - see http://members.optusnet.com.au/~night.owl/morons.html for a refreshing take on the usability crisis they've caused). I'm not just referring to current implementations with their appalling defect rates. All client-side runtimes, no matter how well-written, inherently reduce security. That's their function: to give outsiders access to your machine they otherwise wouldn't have. Even more insidiously, their prevalence numbs users into a mode of thought that it's quite normal and healthy to let this happen. How can the security community promote safe browsing when users are being forever brainwashed into ignoring or disabling security features for the sake of pointless but pretty downloadable applets? How can we encourage content developers to reduce attack surface when fashion demands yet more gratuitous bells and whistles? Web applications belong on the server. The more widely this patent gets applied the better off the browsing public will be. -- Simon Brady mailto:simon.brady () otago ac nz ITS Technical Services University of Otago, Dunedin, New Zealand I don't speak for my employer, and they don't speak for me.
Current thread:
- Re: RIP: ActiveX controls in Internet Explorer? Simon Brady (Sep 02)
- Re: RIP: ActiveX controls in Internet Explorer? Igor Filippov (Sep 03)
- Re: RIP: ActiveX controls in Internet Explorer? Peter J. Holzer (Sep 04)
- RE: RIP: ActiveX controls in Internet Explorer? Drew Copley (Sep 03)
- Re: RIP: ActiveX controls in Internet Explorer? Igor Filippov (Sep 03)