While this feature was initially touted by Microsoft as a significant advantage
over Java applets, it was shown as a significant exposure point primarily due to security
issues. Nevertheless, while ActiveX had a very rough start, Microsoft has provided
several security measures to use the control with a significant amount of protection. For
example, features such as SiteLock, code signing, and not marking controls safe for
scripting or initialization all help mitigate the security issues exposed by ActiveX controls.
While Microsoft has done a decent job of provide security protections for ActiveX, the
technology architecture, the way developers use them, and the way administrators are
deploying them all create situations in which the technology is used insecurely. Several
solutions can mitigate the ActiveX security exposures, and a simple search on a particular
security vulnerability database will probably show that ActiveX buffer overflow exploits
have occurred within the current month.
The key thing to remember when using ActiveX is to use all its security options. If
your organization wants to deploy ActiveX controls for any reason, the majority of the
security features provide by Microsoft and covered in this chapter should be mandated
by the organization.
Pages:
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392