Exploit for 'extremely critical' Yahoo Jukebox vuln goes wild

Re: Here we go again

Yada yada yada. The undeniable point is that Active X, IE and Windows are insecure out of the box individually. Taken together they are an open door to your PC and whatever information you store or put through it. *Any* other combo is an improvement, including any other browser on Windows.

I've been struggling to think of *any* Active X control that added value to a Windows install and the only one is the MS Update control, which let's face it was only deployed as an Active X control so MS could say "look we have to keep IE tied to the OS otherwise you can't update it" thus killing off the competition (Netscape)

MS *are* getting better with their security (eventually!) but they still have miles to go with technologies like Active X. At least if you blow a Java applet up you still have to break out of the sandbox. I'm not saying it's impossible but it's a darn sight more difficult than just waiting for a stack frame to pop.

I also look sternly at people like Yahoo! that release such shoddy products. The plain fact is there are people that you can pay to test your code for vulnerabilities if you don't have the skills in house. Yahoo! et al clearly feel that their bottom line > your security however so they don't.

Until MS fix their technologies, until producers of Active X controls learn even the most basic secure coding best practices, nobody should take the unneccessary risk of running Active X under IE on Windows when there are plenty of other options to take. Which one you prefer is entirely your choice, just don't be a lazy **** and stick with the crap that came out of the box.

</rant>

don't panic

It would take social engineering to trick a user into exposing themself to the exploit. Only users who install plugins that send them to external web pages are vulnerable, and even then they have to be tricked into going to a web page with the exploit. This is very unlikely, since almost no users of this software ever install any plugins.

About "I also look sternly at people like Yahoo! that release such shoddy products", that's ridiculously harsh. All internet software has vulnerabilities. We have had very few exploits in this software, and we are racing to ship a patch.

The underlying issue is once again the insecure design of ActiveX. Windows needs a capabilities model.

virtual machine

MS could fix a lot of the problems by making IE run in a virtual machine of some sort. hack away, a site should never see anything the site didn't put there or a user entered directly.

why exactly does a random website need the ability to run code that can potentially see the whole machine?

if you have a need to do that provide a program to download, and use which provides the data collection etc.

Good heavens! Surprise, surprise!

Active X implicated in a security panic??? Well, knock me down with a whore's draws!

"Yahoo has announced plans to abandon an unlimited service and transfer users to RealNetworks' Rhapsody service."

And THAT is meant to be a good thing? See:

http://www.theregister.co.uk/2008/01/31/realplayer_branded_badware/