Security Alert When used from a web page

DicomObjects may produce message box saying "DicomObjects Security Alert", like this one when running from a web browser:

This is not a bug, and is an important security feature, required to comply with the rules for ActiveX controls...here is the explanation:

  1. Once an ActiveX control is installed, it may be used by any web page from anywhere on the web
  2. DicomObjects can be "scripted" - i.e. controlled by javascript or vbscript on those pages
  3. Hospitals generally have very good security systems to stop people accessing them from' the Internet, but allow users to connect to the Internet
  4. Internal PCs generally have almost unrestricted access to DICOM data.

So, imaging the scenario where a malicious user writes a web page (perhaps apparently a "health information" page, or something similar), but which has script that in the background:

  1. Checks if the machine has got DicomObjects installed
  2. If it has, then it scans to find the PACS server (all addresses with port 104 on the local subnet)
  3. Connects to the PACS to retrieve data (with or without images)
  4. Sends that data, using DICOM out to another criminal data collection machine on the Internet

This has always been a risk with ActiveX controls, which is why the guidelines for writing them require developers to check with the user before doing anything which could conceivably be against their wishes (in this case communicating over a network). Of course it is no use trying to switch this off from scripting code, as the criminals misusing it could do exactly the same!

We have never heard of DicomOBjects being used in this way (and it is highly unlikely!), but theoretically possible, and the threat cannot simply be ignored.

If you are 100 % confident that your network security and settings are sufficiently secure that no script could possibly misuse DicomObjects in this way, then we can supply what we refer to as the "unsafe" version of DicomObjects, but you need to be sure that you are happy with the risk of misuse.

Relevance: