And here it an other episode which starts out great and is at average better than the previous episodes, but still some mistakes slip in.
About the new, as of yet unpatched Windows flaw: I couldn’t find any information on it, so I’m not sure which flaw are we talking about, but just so that we all are on the same page: a remotely exploitable flaw is one which (under certain circumstances, like if the vulnerable service is running) can be exploited with zero, I repeat, zero user intervention. So it’s the kind of flaw which made Blaster and Sasser possible. The WMF flaw was not of this kind since it required user intervention (although little). So just that we are clear with our definition: user viewing a webpage doesn’t equal remotely exploitable. Maybe the expression they were looking for was
arbitrary code execution.
Now for the main feature:
ActiveX scripting. First let me make it very clear, there is no such thing as
ActiveX scripting, or at least not in the sense mentioned in the podcast. ActiveX and scripting are two different technologies, although they live in a common environment (the browser) and can interoperate. As proof go to your Internet settings and you’ll see that at the security level you can disable / enable ActiveX or scripting independently. It is true however that at the maximum security level they both are disable.
A short note about the technology used to deliver our e-mails: the method is the following: you write your email, contact your mail server and hand it the mail. Now your mailserver contacts the recipients mails server and hands it the mail. Finally the recipient connects to his mail server and gets the mail. What it comes down to is the fact that the first and the last steps can be secured (by using something like SSL, however there is no standard for encrypting the middle part. The usual analogy used for email is that it’s like a postcard: you can make sure that nobody can look at your post card until you hand it over to the postal service and also the recipient can make sure that nobody can look at it after s/he got it, however neither of you have any guarantees that during transport it wasn’t looked at (although this is highly improbable for the same reason that it’s improbable that somebody would look at your e-mail: because the volume of the traffic).
About data retention: you don’t need to retain the full data stream to have at least some valuable information. You could retain for example retain only the headers of the packets, which would reduce the volume significantly and still give many useful information. Retaining only the headers an compressing can reduce the volume at least 100 times (second hand experience).
movie can contain Actionscrips). Both of these technologies as well as Java offer a very strong sandboxing solution, so it is very rare that something malicious can be done with them if the security setting are appropriate (there are malware out there which upon execution lowers for example the security level of IE or add certain sites to the list of trusted sites or adds new certificates to the trusted CA database). An ActiveX control on the other hand gives full control (or at least the level of control equal to the account under which IE is running) of the system. This is why it’s important to (a) don’t run as administrator and (b) only install ActiveX controls about which you are 100% sure about. Ideally you should only install the ones required by Windows Update.
Hope this helps a little clearing up the confusion.