funsec mailing list archives

Re: Microsoft issues IE update to get around the Eolas patent

From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Wed, 01 Mar 2006 16:09:49 +1300

Dude VanWinkle to Richard M. Smith:

I wonder how many Web sites this Microsoft patch will break.......


Well, they don't outright break -- unless I misunderstood something, 
the user simply has to click the control an extra time before they can 
_directly interact_ (including via script embedded in the page) with 
the control, but (initial) dynamic content played or displayed by the 
control will still activate.

After you install this update, you cannot interact with ActiveX controls
from certain Web pages until these controls are enabled. To enable an
ActiveX control, manually click the control.


I wonder how much spyware this will prevent from being installed?


It will have the _opposite_ effect.

To get around the user having to manually "activate" the control by 
clicking it, web author's can ensure that the control is "dynamically 
instantiated" (my term), and thus immediately activated, via script, 
rather than being "passively" instantiated the old (aka "infringeing") 
way (i.e. via APPLET, EMBED or OBJECT tags in the main page -- this is 
effectively what the patent rules out), thus requiring "activation".

What all that means is that web authors will, and rather quickly I 
suspect, move to this new construction to get their ActiveX controls 
enabled and so the pressure on browser users to move back to having 
MORE script-enabled sites or even more script-enabled security domains 
in IE will increase, so we will see MORE script-based silliness, 
including compromises and the like.

This move is even more reason to abandon IE totally.

MS should have taken its loss in the Eolas patent case, combined it 
with Billy Boy's previous, well-publicized insistence that security is 
now really more important than functionality, and used that as the 
raison d'etre for finally killing its shitty pile of security holes 
that passes with some as a miserable excuse for a web browser.

It didn't, so we have yet more evidence that, despite Billy Boy's 
publicly released memo, security is really only more important at MS 
now if it's _wholly convenient_ for it to be more important.  In other 
words, despite all the grandstanding in the media, actually very little 
has changed at MS viz security...


Regards,

Nick FitzGerald

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

Microsoft issues IE update to get around the Eolas patent Richard M. Smith (Feb 28)
- Re: Microsoft issues IE update to get around the Eolas patent Dude VanWinkle (Feb 28)
  - Re: Microsoft issues IE update to get around the Eolas patent Nick FitzGerald (Feb 28)
    - Re: Microsoft issues IE update to get around the Eolas patent Matthew Murphy (Mar 01)