MozillaZine

New IE Security Hole - And It's a Big One!

Tuesday August 24th, 1999

Yet another hole has been found in Internet Explorer's ActiveX implementation. This one allows arbitrary code to be written to the user's hard-drive. The bug was found by Georgi Guninski, who has found many security bugs in IE and Communicator. To read more about it, click here to visit Georgi's page. If you click "Test it" beside the name of this bug ("Executing programs with IE 5.0") while using IE, the page you visit will write a small bit of sample code to your StartUp menu. You've been warned. Georgi calls this bug "the most significant of my discoveries and the most dangerous also".

Thanks to Zaw for the news.


#18 Will it affect Mozilla?

by locka <adamlock@eircom.net>

Thursday August 26th, 1999 3:05 AM

You are replying to this message

The Mozilla control is obviously ActiveX but it only allows itself to embedded into other apps at present (including IE). Since the control is not signed, IE will only run it if you turn off the normal security settings or run it locally.

I am 100% certain that there are security flaws waiting to be found so making the Mozilla control not safe for scripting is a sensible precaution.

As to whether Mozilla will host controls inside itself, my thoughts are that it can and should (though in a very limited way). ActiveX controls are demonstrably a bad idea in the Internet but are useful in the Intranet and in custom applications (such as an encylopedia built using Mozilla).

The Mozilla control project can already be built as a ActiveX plugin (like the NCompass one) but it is experimental and not done by default. At present it will only runs controls that are already on the PC. It will not attempt to download and install them if they are not. It is likely that it will never download controls that are not there due to issues surrounding control signing and CAB.

Neither are controls scriptable, though this is more due to a problem I am having with Liveconnect. Even when I fix this only controls marked as safe for scripting will be exposed to scripts.