Unlike many items that are downloaded via a browser, ActiveX controls have access
to the Windows operating system. Since ActiveX is a COM object, the currently loggedin
user can perform some actions with privileges that range from access to the file system
to access to keys in the registry. Access to the underlying OS gives ActiveX significant
power and corresponding risk when using it on the Internet. For example, while Java
provides significant security control for a user??™s browser, it is not built to ???break out??? of
the browser and access the operating system. Java runs in a ???sandbox,??? as it often runs
powerful code that should not be accessible to the operating system. Conversely, ActiveX
controls have no sandbox and are able to access the operating system directly. Items that
allow direct access to the OS are attractive targets to attackers, since they have unchecked
access to the system, which is why poorly written ActiveX controls have turned out to be
a security problem for many organizations. Note that the lack of a sandbox makes flaws
in ActiveX generally more severe, but all insecure controls in Java and .Net can be just as
harmful as those in ActiveX.
Pages:
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356