Security Alert When used from a web page
DicomObjects may present a message box saying “DicomObjects Security Alert” from a web browser if you are running a web project using DicomObjects:
This is a security feature, required to comply with the rules for all ActiveX controls, reason being:
- Once an ActiveX control is installed, it may be used by any web page from anywhere on the web.
- DicomObjects can be scripted i.e. controlled by javascript or vbscript on those pages.
- Hospitals generally have very good security systems to stop people accessing them from the Internet but allow outgoing connections.
- Internal PCs generally have almost unrestricted access to DICOM data.
So, imaging the scenario where a malicious user writes a web page (perhaps a health information page, or something similar that has script running in the background):
- Checks if the machine has got DicomObjects installed.
- If it has, then it scans to find the PACS server (all addresses with port 104 on the local subnet)
- Connects to the PACS to retrieve data (with or without images)
- Sends that data, using DICOM out to another criminal data collection machine on the Internet
This has always been a risk with ActiveX controls, which is why the guidelines for writing them require developers to check with the user before doing anything which could conceivably be against their wishes (in this case communicating over a network). Of course, it is no use trying to switch this off from scripting code, as the malicious code could do exactly the same.