Thursday, August 28, 2008

Rub yourself in bacon and throw yourself in the wolf-pen

I thought the use of ActiveX had been banned in most civilized countries.

[This] Novell story is sad bad tale of You Can't Teach Some Dogs Anything At All. I quote:

Secunia, which reported the bugs to Novell, counted at least eight vulnerabilities in the ActiveX control included with the Windows Vista version of the iPrint client, as well as several other flaws in another Windows Vista iPrint component...iPrint is Novell's implementation of the Internet Printing Protocol (IPP), and lets users use, install and manage printers through the browser.

First of all, iPrint sounds like Apple, but it is some kind of Frankensteinian CUPS mutation. But that's a minor nit compared to using ActiveX in a printer client. Do these people feed and dress themselves competently? Is there anyone on the planet who doesn't know that ActiveX is a finely-engineered pestilence that cannot be trusted under any circumstances? ActiveX has one purpose in life: allowing the installation and execution of remote code on a Windows system via Internet Explorer.

ActiveX controls have unfettered access to the entire operating system. Using ActiveX is like rubbing yourself with bacon and flinging yourself into a hyena pack. There is no safe way to use ActiveX. Why it is even necessary for a printer client? The CUPS Web interface for Linux doesn't need ActiveX and it's worked fine for years. There is one for Mac too, which also doesn't need ActiveX, and both of them work in pretty much any Web browser. You don't need the match+flame duo of ActiveX and IE. In fact smart people avoid them like the toxins that they are.

Lest anyone think I am being too mean to poor old defenseless Novell and Microsoft, I recall ActiveX security advisories almost from its inception back in 1996 or so. What has changed since then, twelve years later? Nothing, as this random recent security bulletin shows:

Microsoft has released Security Advisory (955179) to describe attacks on a vulnerability in the Microsoft Office Snapshot Viewer ActiveX control. Because no fix is currently available for this vulnerability, please see the Security Advisory and US-CERT Vulnerability Note VU#837785 for workarounds.

So we need to revise the popular "fool me once" saying:

Fool me once, shame on you
Fool me twice, shame on me
Fool me thousands of times over many years...let's get married!"

Now why is it again that corporate participation is important to FOSS?

No comments: