Book of Hook Forum Index Book of Hook
Also, I can kill you with my brain
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

ActiveX - my experience
Goto page 1, 2  Next
 
Post new topic   Reply to topic    Book of Hook Forum Index -> Game Development
View previous topic :: View next topic  
Author Message
brianhook
Site Admin


Joined: 12 Dec 2003
Posts: 2521
Location: seattle, wa

PostPosted: Fri Jan 14, 2005 12:25 am    Post subject: ActiveX - my experience Reply with quote

EDIT:

Since I've been slash-dotted on this -- good lord, it's a forum post to an obscure Web site -- I wanted to address some "issues" that people have brought up:

1. I don't know ActiveX programming very well at all. I'm no expert. I'm just pointing out the flaws. It's a useful and interesting technology, it's just dangerous as fuck as well. That's all I'm saying. No, this isn't news, but I didn't intend this forum post to become news to the Web. It's one step removed from a blog.

2. I wasn't trying to write some expose for slashdot or the community at large, I was mostly writing it down for the regular readers of my site who are, by and large, more like friends than they are "readers" or "community members". It wasn't intended to be some revelatory "OMG!!!" moment directed at the world.

3. I highly doubt what I've "revealed" here is news to virus and spyware authors, since they've been writing spyware like this for years now.

4. I use FireFox (and before that, Mozilla, and before that, IE with hardcore security settings), which is why I never realized the extent of ActiveX's stupidity.

5. I haven't worked at id in five years. If that's the only reason to print my comments...don't.


So I've been doing some ActiveX coding on the side for a couple days, stuff I'm not familiar with, and I'm just flat out _appalled_ at how bad that entire API and design is.

Let's forget the whole ATL/MFC aspect. And we can ignore the OLE grossness. Pretend that ActiveX isn't platform and browser dependent. Let's ignore all those fairly substantial issues for now. Instead, let's talk about the whole security thing.

ActiveX, for those that don't know, is a "technology" that allows you to download a piece of natively executable software from any arbitrary location (e.g. embedded in a Web page) and let it run.

If this seems insanely unsafe, that's because it is.

I can make an OCX that basically formats your hard drive, stick it on a Web page with a tag, and if your security settings are set low enough, you'll start formatting your hard drive the minute you visit my Web page.

Slick.

Microsoft recognizes this (after quite a bit of hemming and hawing that it wasn't REALLY a problem, because users would eventually "learn" about safe computing -- seriously, that's what they said about 7 years ago when the issues of ActiveX vs. Java security came up).

So the way they've "fixed" this is to still allow it, but they've added a few bits of inconvenience for the would be spyware/malware author.

First off, by default IE will not allow you to run an unsigned control. A control can be digitally signed, verifying that it came from you, and the signing process is arduous enough that, say, a bored junior high school student won't bother with the process. Unfortunately, anyone with $20 and who DOES care can get signed relatively easily.

So a "signed" control really isn't guaranteed to be safe, it's only somewhat guaranteed to have come from an identifiable source. There is NO WAY to guarantee that a control won't act maliciously. That's not possible.

Now, even if you have a "good" control that doesn't do bad things, it can be "repurposed". The problem is that the control is parked on someone's Web server and downloaded locally, which means that someone can take that control and then upload it to THEIR Web server and run it.

If the control is complex enough and accepts parameters, then you can modify a normally benign control and make it very, very evil. For example, let's say your organization has an intranet Web server where internal tools are posted for download and installation. To refresh your system, you simply go to the update page (just like Windows Update) and say "Update".

The control, being general and all, is in the form of "Take a file X, download, and execute". The tool programmers don't want to recompile and sign a control EVERY time they update a tool, right? So instead the tool accepts via <PARAM> the file to download and install. On their Web page it might look like this:

Code:

<OBJECT ...>
<PARAM NAME="SRC"  VALUE="http://internalserver/tools/new/xyz101.exe">
<CODEBASE="http://internalserver/tools/updater.ocx>
</OBJECT>


So the updater (updater.ocx) gets the parameter that tells it what file to download to the local machine and execute. Hey, that's handy! Everything is great, because obviously your IT department isn't in the habit of installing malware, or so we hope.

Some Web coder employee sees this and the light bulb goes off..."Hey, if I change that param, it will run ANYTHING I tell it to...from anywhere!"

And he would be right. There is almost no way to safely stop this. Microsoft, to address this concern, has provided a header file called SiteLock where you're supposed to be able to list only a few select sites where your control can be run from, but this has its own problems. For starters, SiteLock is barely documented -- it seems to be an internal system that Microsoft hastily released to help with all the security problems they were having. Second, SiteLock requires ATL, which I don't use (I use MFC for ActiveX development). Third, SiteLock then hardcodes those source sites within your OCX, so if you're in the business of providing OCX files to others, you'll have to provide source code and have them recompile with their own white/blacklists. Not only that, but sometimes you really don't want to hurt a control's flexibility just to prevent some numb nut from taking your control and using it for Evil.

Sadly enough, Microsoft has a way for you to mark a control as "safe for scripting", which is sort of their way of saying "Can you guarantee that this control won't be abused?" This means both directly (altering parameters) and indirectly (buffer overruns). Unfortunately they leave this determination up to you, so in the end the two key "technologies" Microsoft provides to ensure safety are pretty much voluntarily specified on the part of the ActiveX control author.

To compound matters, genuinely useful ActiveX stuff -- like downloadable games or utilities or tools -- are stopped in their tracks because most people are now becoming paranoid enough that they simply treat ActiveX controls like popups. If you want to allow a presumably safe (and signed) ActiveX control to run, you have to click through THREE separate blockers -- the ActiveX blocker in IE (you have to select "Allow Blocked Content"); the Security Warning dialog; and the IE warning that crops up when you try to run a control that is not marked safe for scripting. And the installation dialog as well, if you haven't installed the OCX previously. So you must navigate up to four prompts for a theoretically safe control.

I cannot believe something like this exists and, even worse, is so popular today. If Microsoft had simply spent more than 5 minutes designing ActiveX I'm pretty confident that many of the spyware/malware problems of today would simply not exist.


Last edited by brianhook on Mon Jan 17, 2005 1:58 pm; edited 2 times in total
Back to top
View user's profile Send private message Send e-mail Visit poster's website
xts3



Joined: 04 Jan 2005
Posts: 93

PostPosted: Fri Jan 14, 2005 1:10 am    Post subject: Reply with quote

Well I can say as a user of certain websites, active X is a pain in the royal ass because major sites like CNN and other fairly useful websites incorporate them into their web pages which make it fairly annoying if you want to see certain content or use their site in general.

How Active X ever got off the ground in the first place with Microsoft knowing the anarchic nature of the internet in the first place is beyond me. Security has really taken a backseat to features. But ultimately I think complexity and capitalist nature of exploiting workers or rushing things is bogging down good security.

Also everyone's mad grab for cash by using ad's to support their websites and pay their bandwidth is part of what ultimately drives companies and "entrepreneurs" to exploit the loopholes to make cash. It's similar to spam, I read about a guy that was raking it $700,000 a year and got sentenced to something like 7 years in prison for spamming, but what's 7 years of jail time compared to the money he made over the years of his spamming operation? Until there are laws that allow the government to take peoples "illegally" gained profits away, I dont forsee anyone stopping the exploiting of loopholes for financial gain.

Quote:
I cannot believe something like this exists and, even worse, is so popular today. If Microsoft had simply spent more than 5 minutes designing ActiveX I'm pretty confident that many of the spyware/malware problems of today would simply not exist.


Well I'm not so sure about that, a lot of shareware now installs or comes with adware/malware that has nothing to do with Active X.


Last edited by xts3 on Fri Jan 14, 2005 1:19 am; edited 2 times in total
Back to top
View user's profile Send private message
brianhook
Site Admin


Joined: 12 Dec 2003
Posts: 2521
Location: seattle, wa

PostPosted: Fri Jan 14, 2005 1:17 am    Post subject: Reply with quote

xts3 wrote:
Well I can say as a user of certain websites, active X is a pain in the royal ass because major sites like CNN and other fairly useful websites incorporate them into their web pages which make it fairly annoying if you want to see certain content.


From what I've seen (or not, in this case), it's not that big a deal -- many times the ActiveX controls are there strictly if you are unable to display content with Java or Shockwave or Flash. I've never had a problem with eBay or CNN using FireFox.

Quote:
How Active X ever got off the ground in the first place with Microsoft knowing the anarchic nature of the internet in the first place is beyond me.


Oh, that's easy. A.) Microsoft controls the browser market and B.) ActiveX was a simple extension of OLE and C.) it wasn't Java, which Microsoft doesn't like. It was also "fast", since it's basically native code. So there are a lot of things "good" about ActiveX, from Microsoft's point of view, and back in the mid-90s the whole concept of spyware/malware was kind of a vague threat, much like spam. Very few people realized that spyware/adware/malware/spam/virii/worms would be such dominating problems today.

Quote:
Security has really taken a backseat to features.


Well, until Bill Gates panics, then you suddenly CAN'T use any features that MIGHT be dangerous. Microsoft basically invented whole categories of virii (VBS and PIF scripts), and when they realized that things were rampant, solved them in Outlook by, for example, disabling attachments altogether.

Quote:
but what's 7 years of jail time compared to the money he made over the years of his spamming operation?


Umm...you can earn more money. You can't earn back years.

Quote:
Until there are laws that allow the government to take peoples "illegally" gained profits away, I dont forsee anyone stopping the exploiting of loopholes for financial gain.


Such laws already do exist, e.g. for drug dealers and impounding of their stuff.
Back to top
View user's profile Send private message Send e-mail Visit poster's website
xts3



Joined: 04 Jan 2005
Posts: 93

PostPosted: Fri Jan 14, 2005 1:29 am    Post subject: Reply with quote

Quote:
Umm...you can earn more money. You can't earn back years.


Yeah but despite spamming how were his profits "illegally" gained? He got to keep his money and think about this, 7 years times $50,000 is only $350K, I'd gladly spend 7 years in minimum security prison with possibility of early parole or paying my way out if I made enough money spamming since with the ungodly sums of money I've made I wouldn't have to work work like a dog and do mind-numbingly taxing work to make someone else or some other company money.

Quote:
Such laws already do exist, e.g. for drug dealers and impounding of their stuff.


Not for spammers these guys get to keep their cash because they didn't really obtain their money illegally, many people who get spam purchase these silly products, so how was it obtained "illegally"?
Back to top
View user's profile Send private message
alastairpatrick



Joined: 11 Dec 2004
Posts: 44
Location: San Diego, CA

PostPosted: Fri Jan 14, 2005 11:17 am    Post subject: Reply with quote

I had much the same problem trying to use ActiveX to distribute an Internet game a few years ago. Things can only be worse now. I think these are the main options for embedding a client-side program in a web page:
    ActiveX control
    Netscape plugin
    Java applet
    .NET applet
    Javascript
    Flash actionscript
ActiveX and netscape plugins both suffer from the same problem. There is almost no sandboxing and the program can do almost anything it wants. Although at least Netscape plugins don't put the programmer through hell just to do something really simple.

Java applets work well. They have had some security issues I believe but these are more security bugs than fundamental design flaws. Trouble is, IE does not support Java applets "out of the box" anymore. You need to install it from Sun's site. So you've scared off 90% of your potential users by using Java.

I haven't tried them yet but .NET applets could be viable, If Microsoft has done as good a job of copying Java in this department as they have with C#.

Javascript is widely supported but it's limited in what it can do and also suffers from some security issues.

Flash Actionscript, and Flash in general, is another good possibility. It must be installed on quite a high proportion of PCs and it is quite powerful: http://www.illogicz.com/flashmx/3dengine/.
_________________
-- http://alpatrick.blogspot.com/
Back to top
View user's profile Send private message
Rimbo



Joined: 02 Aug 2004
Posts: 109
Location: San Diego

PostPosted: Mon Jan 17, 2005 1:55 pm    Post subject: Reply with quote

You got Slashdotted, dude.
_________________
Rimbosity -- Light your brain farts. http://www.rimbosity.com/
Back to top
View user's profile Send private message Visit poster's website AIM Address MSN Messenger
brianhook
Site Admin


Joined: 12 Dec 2003
Posts: 2521
Location: seattle, wa

PostPosted: Mon Jan 17, 2005 1:57 pm    Post subject: Reply with quote

Yeah, I figured that out from my stats =) It's always fun to have an innocuous forum post get slashdotted, then people get all in a tizzy at SlashDot because I'm saying "obvious" shit...in my own forums.

I had to edit the original article to reflect a lot of this. Oh well, no one can say I'm not used to being ridiculed in public =)
Back to top
View user's profile Send private message Send e-mail Visit poster's website
grazzy



Joined: 17 Jan 2005
Posts: 1

PostPosted: Mon Jan 17, 2005 2:25 pm    Post subject: .. on the topic of security issues.. Reply with quote

http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=248046
im to lazy to check yer php though.
Back to top
View user's profile Send private message
brianhook
Site Admin


Joined: 12 Dec 2003
Posts: 2521
Location: seattle, wa

PostPosted: Mon Jan 17, 2005 2:30 pm    Post subject: Re: .. on the topic of security issues.. Reply with quote

grazzy wrote:
http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=248046
im to lazy to check yer php though.


Yeah, some others here have pointed that out, but I think I'm patched. Then again, if I'm not, I'm about to find out. =|
Back to top
View user's profile Send private message Send e-mail Visit poster's website
misterorange_



Joined: 01 May 2004
Posts: 62
Location: Oak Ridge, TN

PostPosted: Mon Jan 17, 2005 3:31 pm    Post subject: Reply with quote

Hey Brian, I'm the guy who submitted the story to /. (*ducks*)

I'm sorry if it brought unwanted attention, and the id software remark was simply to give the geeks a point of reference.

To me your thoughts were true and uninhibited, something I respect you for and come to the site often (and lurk in these forums) because of. I believe that on this issue some people who have never worked with ActiveX could learn a few things, and I expected the "Duh, this is old news" comments. But to the new coders, the kids who weren't around when ActiveX was the thing, I thought it was a good idea to let them have an idea where we've been and how far we've come, particularly in the learning process.

In other words, I won't make it a habit, and I apologize if I melted your server (doesn't look like it) or gave you a huge bandwidth bill.
_________________
Evan Erwin
http://www.misterorange.com
Back to top
View user's profile Send private message
brianhook
Site Admin


Joined: 12 Dec 2003
Posts: 2521
Location: seattle, wa

PostPosted: Mon Jan 17, 2005 3:35 pm    Post subject: Reply with quote

misterorange_ wrote:
Hey Brian, I'm the guy who submitted the story to /. (*ducks*)


Yeah, I saw that, "ObiWan" =)

Quote:
I'm sorry if it brought unwanted attention, and the id software remark was simply to give the geeks a point of reference.


Eh, no sweat, the exposure is good for the soul. Public ridicule and harrassment just makes me stronger =)

Quote:
In other words, I won't make it a habit, and I apologize if I melted your server (doesn't look like it) or gave you a huge bandwidth bill.


No, I think this one survived just fine. Although my current ISP has a lot of issues, they do allow "unlimited" bandwidth and have yet to yank me on any prior SlashDot "love".
Back to top
View user's profile Send private message Send e-mail Visit poster's website
Rimbo



Joined: 02 Aug 2004
Posts: 109
Location: San Diego

PostPosted: Mon Jan 17, 2005 5:24 pm    Post subject: Reply with quote

brianhook wrote:
Yeah, I figured that out from my stats =) It's always fun to have an innocuous forum post get slashdotted, then people get all in a tizzy at SlashDot because I'm saying "obvious" shit...in my own forums.

I had to edit the original article to reflect a lot of this. Oh well, no one can say I'm not used to being ridiculed in public =)


Man... some of the threads over there on this post are just... well, jeez.

You know, I'm thinking I should have announced the fact I'm a Dad here -- this way, the whole world knows.

I mean, posting here, this is like... it's like being one of those people holding up the "John 3:16" sign behind the field goal posts at a football game. Stands up and waves: HI MOM! HI MOM!!!!!!
_________________
Rimbosity -- Light your brain farts. http://www.rimbosity.com/
Back to top
View user's profile Send private message Visit poster's website AIM Address MSN Messenger
JasonR



Joined: 13 May 2004
Posts: 77
Location: Dallas/Fort Worth, Texas

PostPosted: Fri Jan 21, 2005 2:34 pm    Post subject: Reply with quote

I was wondering why this thread had so many hits. The internet sucks in that regard, what you say here stays here. One can't even get drunk and let their guard down in their own room without things coming back to haunt them.

This website proves that what happens on the internet stays on the internet. Your front page only has 2 entries but usually theres more. It even has my webpage on here and I don't think theres a single link to my website on the internet!
[url]http://web.archive.org/web/*/http://www.bookofhook.com[/url]
Back to top
View user's profile Send private message
return42



Joined: 19 Jan 2005
Posts: 127
Location: Ontario, Canada, eh!

PostPosted: Fri Jan 21, 2005 5:59 pm    Post subject: Reply with quote

The part that blows my mind, is that slashdot even chose to report it. I gotta say, why the hell would one man, even someone who worked at iD, having an opinion on an 8 year old piece of tech, qualify as a story?

I used to read slashdot a fair bit, and still glance from time to time, but they have really gotten pathetic. I can basically sum up the articles before I go there... Outsourcing == bad. Linux == god. IBM == good. Microsoft = Anti-christ. SCO == bad. Lawsuits == bad. IP/Patents == BAD. Reading comments off that board really makes me question if the majority of Linux users are doing it as some neo-fetish-hitech-hippy crusade. Its a depressing thought. I would say the comments are 1 to 10 ratio of noise to quality. Most of the rest is closed minded sheep speak.

Actually, Slashdot totally reminds me of all my friends that are still in school. Im 30 now, and have to listen to endless retoric from a handful of friends that never left school. THe man is evil, money is evil, comprimise makes you weak, etc etc... Then, the real world hits, and every one of those bastards is the first to sell out their lofty views of the world.

That, to me is slashdot. I guess thats the downside to letting students, who have lived off mommy and daddies money, make comments on how business should be conducted.

Sorry for ranting... just a pet peeve.
Back to top
View user's profile Send private message
brianhook
Site Admin


Joined: 12 Dec 2003
Posts: 2521
Location: seattle, wa

PostPosted: Fri Jan 21, 2005 6:54 pm    Post subject: Reply with quote

return42 wrote:
The part that blows my mind, is that slashdot even chose to report it. I gotta say, why the hell would one man, even someone who worked at iD, having an opinion on an 8 year old piece of tech, qualify as a story?


Because it was perceived as MS bashing, and /. is all about MS bashing.
Back to top
View user's profile Send private message Send e-mail Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Book of Hook Forum Index -> Game Development All times are GMT - 5 Hours
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group