This may be out-of-date, but I know some companies still blindly rely on a
firewall or proxy to filter ActiveX and think it is safe.
Last year, CERT / Steven Bellovin + others wrote a report ("Results of the
Security in ActiveX Workshop") to discuss ActiveX security. Inside there, it
mentioned that it is still unsafe to filter ActiveX on the firewall since
HTTPS traffic will tunnel through unchecked (unless the SSL connections are
terminated at the firewall / proxy level).
If a hacker want to compromise a site through ActiveX, they will establish a
secure web server with exploit code, and their exploit potentially can get
through lots of company firewalls undetected.
The CERT report also has recommendation to secure the desktop for ActiveX.
But I find that the recommendations will be difficult to implement / manage
in a large company with lots of desktop.
I know some company only allow Flash control to get through but not other
ActiveX control. I don't know how they implement it, but may be using a
combination of "CodeBaseSearch Path" and "Administrator Apporved"
attributes.
I wonder if this is a common problem for the security community ? (i.e.
people just block ActiveX on the firewall.)
How would you secure ActiveX in your environment ? Any good practice you
know of ???
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
