[opensource] New Web Browser

Marc Uhrich uhrich.1 at gradsch.ohio-state.edu
Thu Oct 25 17:17:44 EDT 2007


I'm responding to both Brian and Adams comments here.....

What Paul means by "context of your username" is the permission
structure of the user account logged onto the computer at the time.  For
example, if you logged into a lab computer where there are a lot of
restrictions the code the active X control runs will be limited by these
restriction.  If you are running your computer with administrator
privileges, like most windows users, the active X control can do *pretty
much* anything it wants.  

This is a fundamental issue between convenience and security.  Active X
controls allow people to write really sophisticated web applications,
but opens them up to severe vulnerabilities.  Microsoft has figured out
this glaring security hole and made some attempts to mitigate it in IE
7.   As far as I know, IE 7 on both Windows XP and Windows Vista
disables Active X controls and disables the prompt to install them.
Prior versions prompted but naive or uninformed users would just click
yes to make things work and circumvent this control.  It's nice to see
that they might limit active X code in IE7+ instead of just "hiding it".
To be honest, I haven't been following it much.

All of this reminds me of the famous quote in Spiderman "with great
power, comes great responsibility".  Using the countless spam messages
and continuous net attacks we get here at the Graduate School as an
indicator, I don't think the general internet community is, or will be,
ready for the responsibility. 
Marc Uhrich
Systems Engineer @ OSU Graduate School
247 University Hall, 230 N Oval Mall
Columbus, Ohio  43210
(614) 292-0600
 

-----Original Message-----
From: opensource-bounces at cse.ohio-state.edu
[mailto:opensource-bounces at cse.ohio-state.edu] On Behalf Of Adam C.
Champion
Sent: Thursday, October 25, 2007 2:33 PM
To: opensource at cse.ohio-state.edu
Subject: Re: [opensource] New Web Browser

Wow. I thought ActiveX scripts ran in a "sandbox" within the client's IE
browser, like Java applets do in any browser. I know IE 7+ in Vista
places restrictions on scripts and "active Web content", but users of
previous Windows versions can't download IE 7+! So other versions of IE
run ActiveX scripts with the user's permissions? Yikes.

I can think of many ways these "features" can be abused, and potentially
open up security vulnerabilities...

-Adam

Paul Betts wrote:
>> but how does it "lock down" students' *entire* interaction with the 
>> OS (e.g., prevent them from closing or minimizing the browser)?
> 
> If they're running their own ActiveX control, they can do *anything 
> they want*. They are running arbitrary C++ code in the context of your
username.
> 
_______________________________________________
Opensource mailing list
Opensource at cse.ohio-state.edu
http://mail.cse.ohio-state.edu/mailman/listinfo/opensource



More information about the Opensource mailing list