The Recycle Bin

A repository of comments, code, and opinions.

ActiveX Redux

with 3 comments

Google has decided to throw away years of progress in Web security, JIT interpreters, and general common sense and implemented a weak rehash of the ActiveX control.  Dubbed Native Client, this new plug-in architecture will allow websites to deliver raw x86 code to users in an attempt to “create richer and more dynamic browser-based applications.”

First of all, there is nothing browser-based about running native code.  The browser is simply the distribution medium for your native application.  Is Google admitting that AJAX and browser applications aren’t all they’re cracked up to be?

In all the hilarious irony however, we shouldn’t lose sight of how awfully bad this idea really is.  I mean, it’s just a terrible idea.  Pushing raw machine code down the pipes is not a reasonable solution to the problem.  We tried this with ActiveX – it’s been a mess.  Sure, they’ve put some thought to security – a thinly veiled ‘sandbox’ that statically analyzes the bytes for any “dangerous commands”  before it executes.  Yeah, I’m sure no one is going to find a way around that….

Really, it’s ideas like this that guarantee that anti-virus vendors will always have a job…

Advertisements

Written by Nathan

December 9, 2008 at 1:47 pm

Posted in Security

3 Responses

Subscribe to comments with RSS.

  1. I’m confused. What is the motivation for this approach?

    d noves

    December 14, 2008 at 8:17 pm

  2. They want to take more advantage of the hardware on the machine. Javascript/html websites dont have direct access to the hardware (specifically, the video card) and have to go through the AJAX code, which is read and interpreted by what ever browser is reading. There are a lot of limitations, but it works for websites.

    To get more fancy stuff going, developers use Flash, Java applets, or Silverlight. These are all mini programs that run seperately from the browser. They are all essentially running in a virtual machine that has more access to the system.

    Google’s approach here is to skip the VM stuff and just go straight to the OS. They want a cross platform ActiveX – so anyone can make a plug in targeting NativeCode and it will run nativly on any machine. It’s a neat and ambitious idea, but really, it’s been done before and been proven to be pretty dangerous.

    Nathan

    January 16, 2009 at 1:47 pm

  3. Its not my first time to pay a quick visit this website, i am visiting this site dailly and obtain nice data from here all the time.

    2

    February 25, 2014 at 1:37 pm


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: