| Compaq Computer said ActiveX programs that ship with its popular desktop and
notebook Presario lines contain a flaw which could allow hackers to
over-write files on users' machines if they visit a specially-constructed
Web page or read a booby-trapped HTML e-mail.
In an advisory issued late yesterday, Compaq said it includes the ActiveX
controls on Presarios to perform customer support tasks. The company
classified the threat as a denial of service vulnerability.
The system bugs were first publicized two years ago by Richard Smith, chief
technology officer for the Privacy Foundation, in
a message to
the NTBugTraq mailing list.
Earlier this year, Smith sent the computer manufacturer a note saying that
his new Compaq Presario 1700 series laptop had come shipped with about a
dozen pre-installed ActiveX controls which were marked "safe for scripting."
"Many of these controls," he wrote were "hardly safe."
In fact, Smith argues that the Compaq Presario and operating systems,
including Windows 98 and Windows Me, contain Active X methods for writing
files to hard drives with controls that can easily be tampered with from
HTML e-mail messages, Web pages, or rogue code.
horn Resources | TechRepublic::
Youve heard the expression taking the bulls by the horns Tags: ActiveX, Linux, Microsoft Corp., Microsoft Longhorn, server, startrekrocks
http://search.techrepublic.com.com/search/horn.htmlHOME |
By definition, an Active X control can be automatically downloaded and
executed by a Web browser. Programmers can develop ActiveX controls in a
variety of languages, including C, C++, Visual Basic and Java.
"They ship something like eleven ActiveX controls that can write to the hard
drive and over-write files," Smith said in an interview with InternetNews.com.
"So the term 'denial of service' is kind of a misnomer. It can destroy data
or the operating system. So I think this is
a bigger deal."
Mercury Strengthens SOA Test Capability::
Taking the Rational Out of RUP. Two unified processes, ESX Server 2.x hosts and storage, and both ESX With Xtreme SuitePro 2006 for ActiveX/COM you
http://www.sdtimes.com/pdf/SDTimesBackIssues/SDTimes161.pdfHOME |
For its part, a Compaq spokesperson said the company issued a patch to about
2 million users through a Compaq services connection.
The spokesperson also added that all Presario computers contained ActiveX
controls. And with so many users at risk, Compaq has started a security
mailing list service to keep users up-to-date. So far, 260,000 people have
signed up.
Discussion threads : 2007-09::
Active X control. AD logon script querie. AD User Creation Script Question implementing group policy in active directory. Implementing RAID in Windows 2003 Server
http://sitemap.techrepublic.com.com/Discussion_threads/2007-09/2007-09.htmlHOME |
the Onda by Antonio Rodriguez::
or even 5 to when Mac OS X first shipped, and think about why today the This is the main reason why taking any old desktop application and webifying it
http://theonda.org/articles/2007HOME |
So while Compaq is certainly taking an active interest in the problem,
perhaps most startling is Smith's contention that PC vendors continue to
sell computers that can be tweaked by hackers.
"PC vendors don't seem to understand ActiveX security and have shipped
software preinstalled on computers that create backdoors that open people's
machines wide open to hackers," he said.
What's disturbing to Smith, and countless other users, is that ActiveX
controls have full access to the Windows operating system. To control this
risk, Microsoft developed a registration system so that browsers can
identify and authenticate an ActiveX control before downloading it.
Compaq says it has no plans to ask vendors to stop shipping Presario
computers.
*Brian McWilliams of InternetNewsRadio also
contributed to this story.
Pre-Article:Hackers Succeed in Breaching Shopping Cart Software
Next-Article:Globbing Function Leaves Some FTP Servers Vulnerable |
Compaq's Active X Policy Taking Water