|
|
|
|
| |
| This past summer, CERT sponsored a two-day workshop on security issues with ActiveX controls. The paper contains a lot of information about how individuals and organizations can reduce security risks in Internet Explorer when using ActiveX controls. In addition, there is a section aimed at software developers on how to create safer controls. |
| |
Credit:
The paper can be downloaded from:
http://www.cert.org/reports/activeX_report.pdf
The information has been provided by Richard M. Smith.
|
| |
From the paper:
"On August 22-23, 2000, the CERT® Coordination Center hosted a workshop in Pittsburgh, Pennsylvania, for twenty invited experts to address security issues related to ActiveX controls. The primary goal of the workshop was to identify the situations under which ActiveX and related technologies may be used safely and to produce a paper describing security concerns and configuration guidance.
That goal was achieved and the result of the workshop, this paper, serves not only to dispel unwarranted myths about the safety of using ActiveX but also to furnish guidance to network administrators and others faced with security issues involving mobile code in general and ActiveX in particular. ActiveX and similar mobile codes provide enhanced usability. The level of enhancement is significant enough for corporate and government users that Internet security policies and procedures should reflect 'risk management' rather than 'risk avoidance'."
Part 1 of this paper provides an overview of ActiveX, including security concerns and security features. Following this general information are, in Part 2, suggestions and good practices for specific groups in the Internet community:
- managers.
- system administrators and security personnel.
- developers of ActiveX controls and software that uses them.
- users who administer their own computers; anyone who doesn't have a system administrator or security expert managing their system.
The workshop participants hope that the information offered here will help readers make informed decisions about the security tradeoffs related to ActiveX controls and ultimately improve security in their use. The contributors to this paper encourage readers to distribute their paper widely. Readers should also be vigilant, keeping informed about further developments, checking the references listed in Appendix C, and monitoring web sites such as those of the CERT Coordination Center and Microsoft."
|
|
|
|
|
|
|
|
|
|
