??? ActiveX method A method is a function call that may or may not be
implemented. A method has parameters, like a function call.
??? ActiveX property ActiveX properties are also implemented as function calls
along the lines of the Get/Set convention.
Figure 8-1 ActiveX controls
ActiveX Control
Internet
Browser
Operating System
Internet Explorer
File System Registry
200 Hacking Exposed Web 2.0
ActiveX controls can be safe, but because they can be written to access OS resources
and they can be written in languages that allow format string or buffer overflow attacks,
they can have security holes.
ActiveX seemed to be Microsoft??™s response to Java applets. While applets were doing
everything in the browser, Microsoft took it one step further and allowed ActiveX to do
everything in the browser and underlying operating system. Java exposes operating
system functionality (such as read/write files), but through a virtualized wrapper. The
security benefit of Java over ActiveX is the expressive security model. When deployed,
ActiveX controls were supposed to be a benefit to end users. For example, when visiting
a web page that requires an ActiveX component, an ActiveX control can be invoked by
the web application automatically.
Pages:
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358