Microsoft has taken the unusual step of issuing a workaround for a new security bug involving Microsoft Office a day before its regular Patch Tuesday update. Hacking attacks targeting a vulnerability in the Snapshot Viewer ActiveX control for Microsoft Access prompted Redmond's security gnomes to issue an advisory on Monday. The …
IE is insecure?
I wonder if they'll advise we don't use IE while the fault goes unpatched? Or does that only apply to the competition...
Doesn't affect me, then, since the PHB has decreed that we don't need to upgrade Office 97.
Chris Evans/Billie Piper
I seem to remember when MS announced ActiveX support in IE back around 1997-99.
Billie Piper would have been 15-17 years old....
And everyone around in the office at the time immediately said it would be a security nightmare (ActiveX in IE that is!).
"* Any time we see an advisory with three or four suggested workarounds instead of one, we can't help but think none of them work particularly well."
Are Micro$oft trying to get to switch to Ubuntu?
I've yet to see an ActiveX control that works consistantly.
Paris as even she's got a clue ActiveX is bad for you.
>> Some of these involve preventing COM objects from running in Internet Explorer, or disabling scripting. The first of these means using the Registry Editor, where mistakes can really screw up your system, while the second might leave users unable to use many websites normally. Given these choices, less technically knowledgeable Windows users might do better to use either Firefox or Opera pending the availability of a patch, which Microsoft has begun to develop.
So if I disable COM objects in IE I might be "unable to use many websites normally" but if I use Firefox or Opera which don't support ActiveX in the first place these same web sites will continue to work?
"serious ActiveX flaw"
I had to smile when I read that subheading.
ActiveX doesn't have any serious flaws. The whole damned thing has been a serious flaw, from inception onwards.
One of the O'Reilly books on HTML published shortly after the debut of ActiveX included an explicit warning "don't use ActiveX, it's a security hazard." It's not like the security issues associated with ActiveX weren't understood until recently.
I cannot comprehend Microsoft's obstinate refusal to admit that they made a HUGE design error with ActiveX. The handwriting was on the wall right at the start, but no, they've forged ahead with their mistaken software tech ever since.
I love to play at MS-watching (sort of like Peking-watching in the days of Mao), but in this case I can't imagine what kind of pathological corporate structure leads to the retention of a system that has repeatedly been demonstrated to be a, if not *the*, major source of security holes.
Do the marketing wonks have too much say? Is it a pet project of Ballmer's? Is ActiveX a product for which no one person is responsible? Does anyone know?
Quality is job one
Microsoft cannot fix this.
Code quality - the missing ingredient - cannot arrive by random testing the code in millions of beta testers machines (i.e. Microsoft customers).
Code quality comes only by examination. Could one of Shakespeare's sonnets be improved by examination of his peers? Possibly. Can the essence of his plots be removed from modern literature? Never. Thus a few steps towards code quality reveal the essential flaw in the Microsoft code skeleton - your bad designs were never subjected to the withering criticism of your peers, and now we all have to suffer for it.
Same principle applies to politics, I assert.
@ Eddie Johnson
Reality and the web
I think we all agree that ActiveX was a hack thrown together by Microsoft in an attempt to leapfrog Netscape in the browser market. The problem is, a lot of people/companies use ActiveX controls. Regarding, "I've yet to see an ActiveX control that works consistantly.", I assume you've never seen Adobe Flash that shows up on most major websites without any issue. It's an ActiveX control! Microsoft can't "...just give up and KILL ActiveX ..." because all those websites and companies that use and implement ActiveX controls will scream bloody murder without a significant amount of handholding to move them to a new solution. Try removing the Plugin technology from Mozilla and see how many happy customers you have left.
Now, I agree that MS has acted pretty poorly in not attempting to wean their development community off of ActiveX years ago and providing a cutoff date for ActiveX. Let's hope that they properly address in IE 8 rather than continue to use bandaids to deal with ultimately is a sucking chest wound in the security of their browser.
Oh, regarding the "Code quality - the missing ingredient ..." statement. MS has many applications with exposed interfaces to make it easier for users like you or I to script their applications to do interesting things because "we" demanded it. To then turn around and slam them because someone found an obscure backdoor through IE/ActiveX to these exposed interfaces and say that "...see, if they had let me look at the code, this wouldn't happen" is flawed logic at best or just blatantly ignorant at worst. MS runs millions of tests per day against these apps to find and prevent security flaws. Bugs still get through when an unforseen interaction takes place. It doesn't matter if you have an extra hundred eyes pouring over the code because very few people spend their lives just looking at code. People go and look at code when an issue occurs. Why do you think the XP testing scheme is, if you find a bug, write a test case that can reproduce that bug, fix it, verify the test case passes? It isn't "pour through the code and try to imagine bugs that can occur".
Ultimately I will admit I much prefer having the source code available when I encounter a bug with a system, but hey, if I don't like how MS does business I can always choose a different solution.
I think Billie was pretty young - 17? - when she was boffing Ginger Evans. Oh how jealous I was.
Not sure if I prefer the 'Honey 2 the B' or 'Belle du Jour' - era Billie now, though - though I'd happily take either.
Paris cos she knows she's not nothing on her...