Re: RIP: ActiveX controls in Internet Explorer?

To: Simon Brady <simon.brady@xxxxxxxxxxx>
Subject: Re: RIP: ActiveX controls in Internet Explorer?
From: Igor Filippov <igor@xxxxxxx>
Date: Tue, 2 Sep 2003 13:02:39 -0400 (EDT)
Cc: bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <Pine.LNX.4.44.0309011248090.12552-100000@xxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

It seems the patent in question covers not only client-side
executables, but server-side as well:
"Once selected the program object executes on the
user's (client) computer or may execute on a remote server or additional
remote computers"
So, not only javascript/flash/java are subjects of this copyright
but any CGI/whatnot application as well -  or am I reading it wrong ?

Igor



On Mon, 1 Sep 2003, Simon Brady wrote:

> On Sat, 30 Aug 2003, Alun Jones wrote:
> 
> > The descriptions I've heard of this suggest that this patent could be
> > applied equally to prevent (or grab payment from implementors of)
> > Javascript, Java, Flash, etc.
> > 
> > I'm with you on the security issues with ActiveX (and Javascript) - I
> > disable ActiveX on the principle that it has no security consideration, and
> > Javascript on the basis that it's been frequently implemented in a
> > vulnerable manner.  But this is a considerably further-reaching patent than
> > merely killing off ActiveX.  Before we sing "ding dong the witch is dead",
> > let's have some concern for the peaceful Wiccans that might be next on the
> > chopping block.
> 
> Java and Flash aren't exactly free of security issues either. In fact, I 
> would go further and argue that the whole notion of a controlled 
> client-side runtime environment for remote code has been an unmitigated 
> disaster for the web (and this is solely from a security perspective - see 
> http://members.optusnet.com.au/~night.owl/morons.html for a refreshing 
> take on the usability crisis they've caused).
> 
> I'm not just referring to current implementations with their appalling 
> defect rates. All client-side runtimes, no matter how well-written,  
> inherently reduce security. That's their function: to give outsiders 
> access to your machine they otherwise wouldn't have.
> 
> Even more insidiously, their prevalence numbs users into a mode of thought
> that it's quite normal and healthy to let this happen. How can the
> security community promote safe browsing when users are being forever
> brainwashed into ignoring or disabling security features for the sake of
> pointless but pretty downloadable applets? How can we encourage content
> developers to reduce attack surface when fashion demands yet more
> gratuitous bells and whistles?
> 
> Web applications belong on the server. The more widely this patent gets
> applied the better off the browsing public will be.
> 
> --
> Simon Brady                             mailto:simon.brady@xxxxxxxxxxx
> ITS Technical Services
> University of Otago, Dunedin, New Zealand
> 
>     I don't speak for my employer, and they don't speak for me.
>

Follow-Ups:
- Re: RIP: ActiveX controls in Internet Explorer?
  - From: Peter J. Holzer

Prev by Date: IE 5.x keep-alive session hijacking
Next by Date: (Ad-) Host blocking may cause Windows Update to silently fail
Previous by thread: Re: Fwd: IE 5.x keep-alive session hijacking
Next by thread: Re: RIP: ActiveX controls in Internet Explorer?
Index(es):
- Date
- Thread