Because ActiveX can ride pre-approved AOX objects and -not- prompt the user to be installed. This has changed with SP2 in XP, but many users are still not running that.. prior to SP2, the prompts weren't there for objects that piggy-backed a zone (pretended to be from approved sources like MS, etc.).
While it has improved, it's still not completely there, as some AOX "helper" objects are able to piggyback pre-approved AOX controls as 'updates' when in fact, they are not 'updates' but rather malicious BS.. see AOX that changes background wallpaper to 'smittie' virus notices.. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eli Allen Sent: Thursday, June 16, 2005 8:10 AM To: The Hardware List Subject: Re: [H] Dvorak's take on Intel-Apple What vulnerabilities does ActiveX have that FF doesn't? In both cases you a prompted if you want to install, and in both cases if you say yes you get infected. Eli ----- Original Message ----- > At 09:39 AM 16/06/2005, Eli Allen wrote: >>Just because it doesn't support ActiveX doesn't mean anything. As I said, >>spyware requires IE > > Except that it avoids all the ActiveX nasties out there. Which is > currently the main infection vector, as I understand it. > >>is nothing inherent about ActiveX other then it being the popular way of >>doing things so if another interface becomes popular I'm sure spyware will >>take advantage of it. > > It depends on how the new interface is written. So far, the FF team has > worked to remove vulnerabilities whilst MS has not (at least not as fast.) > I recall that last year MS' solution to ActiveX attack was to tell people > to disallow any ActiveX controls - including ones from MS. Not a pretty > sight when a company can't even guarantee it's own controls are a)safe or > b) actually from itself. > > But as FF becomes more popular, it will become more of a target. Just as > Apple or Linux will as they grow market share. > > T >