MozillaZine

Mozilla 1.6 ActiveX Control Installer and Scriptable ActiveX Plugin for Mozilla 1.6 Released

Tuesday January 20th, 2004

Adam Lock writes: "Following in the wake of Mozilla 1.6, I'm happy to announce the release of the new standalone Mozilla 1.6 ActiveX Control installer and the Scriptable ActiveX Plugin for Mozilla 1.6. Both are available from my website.

"New features for the control include support for view-source: and data: protocols, plus it ships with the ActiveX plugin so it is possible to host ActiveX content from inside the control. The installer is slightly smaller (4.5Mb) thanks to bzip2 compression.

"There are no new features in the plugin but Mozilla 1.6 is unencumbered by the regression that disabled scripting support in 1.5."


#10 Re: I'll rather pass, and so should other people..

by locka <adamlock@eircom.net>

Thursday January 22nd, 2004 1:57 AM

You are replying to this message

It's pretty straightforward - the plugin is used a miniscule fraction of Mozilla users who explicitly want ActiveX support and go to my website and install it. And of those I expect most if not all of them are developers or one kind or another.

Even so, the plugin ships with a reasonable set of security flags (equivalent to Medium in IE) that allow safe for scripting controls and control download & install with signing. The user is prompted by the usual signature checking dialogs during installation. The flags do not allow unsafe controls to run and any controls blacklisted by IE are also excluded. If you don't like these settings, don't install the plugin or change the flags. I'm glad the page is intimidating because I don't care about (or get paid) to support normal users. At this stage I am interested in developer feedback, bug reports etc.

If the plugin ships by default in Mozilla and becomes a 'consumer' distribution the settings will tighten to reflect that. But not until that happens.

A hacker would find it much easier to ship a malacious .xpi or plugin. How hard would it be to write an extension that replaced a DLL, installed a backdoor or submited the wallet data to an #irc channel? Not hard at all. What's more, the Firebird Extension site makes it simple to submit the extension and put it within easy reach of hundreds of thousands of people.

And Firebird users habitually install extensions without a seconds thought. So that's what you should be worrying about. Mozilla / Firebird advocates have traditionally complained about how insecure ActiveX is (trust model etc.) and then go and rely on something even worse. I'm surprised a malacious extension hasn't appeared actually. I'm sure there will be a big flap when it does too.

The situation could be immediately improved if Mozilla mandated signed XPI files. Better yet if certs were easier to get. For example Mozilla.org could hand out certs for a $200 deposit, and would be in an ideal position to revoke them as fast if need be.

ActiveX really is the least of your problems.