ActiveX control security mechanisms in IE 6.0 vs IE 7.0

ActiveX control security mechanisms in IE 6.0 vs IE 7.0
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
ActiveX control security mechanisms in IE 6.0 vs IE 7.0 cs5b 09-15-2006
Posted by on September 15, 2006, 7:21 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
I am currently performing a study regards the effectiveness of security

features introduced in Microsoft Internet Explorer 7.0 for Windows XP.
Among
other things, I am comparing the behavior of the different versions in
regards
how they deal with signed activeX components. It seems like IE 6.0
without any
service packs installed acts identical to IE 7.0: A signed activeX
control is
downloaded after user confirmation and can run without prompt once it
is
downloaded. As such, it seems like no enhanced security features have
been
introduced (or default security settings have been adjusted) between
the two
versions regards signed activeX controls. Am I correct in this
assessment?
Thanks-
Christian


Posted by Ze Muffinman on September 16, 2006, 5:05 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Yes, you are, I believe. I cannot honestly say as I use a Linux and I
only used IE7 for a very short time before I uninstalled Windows, but I
do believe the answer is yes. don't take my word for it, though.
cs5b@yahoo.com wrote:
> I am currently performing a study regards the effectiveness of security
>
> features introduced in Microsoft Internet Explorer 7.0 for Windows XP.
> Among
> other things, I am comparing the behavior of the different versions in
> regards
> how they deal with signed activeX components. It seems like IE 6.0
> without any
> service packs installed acts identical to IE 7.0: A signed activeX
> control is
> downloaded after user confirmation and can run without prompt once it
> is
> downloaded. As such, it seems like no enhanced security features have
> been
> introduced (or default security settings have been adjusted) between
> the two
> versions regards signed activeX controls. Am I correct in this
> assessment?
> Thanks-
> Christian


Posted by Roger Abell [MVP] on September 16, 2006, 6:22 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
>I am currently performing a study regards the effectiveness
> of security features introduced in Microsoft Internet Explorer
> 7.0 for Windows XP.
> Among other things, I am comparing the behavior of the
> different versions in regards how they deal with signed
> activeX components.
>
> It seems like IE 6.0 without any service packs installed
> acts identical to IE 7.0: A signed activeX control is
> downloaded after user confirmation and can run without
> prompt once it is downloaded. As such, it seems like
> no enhanced security features have been introduced
> (or default security settings have been adjusted) between
> the two versions regards signed activeX controls.
> Am I correct in this assessment?

No. You are incorrect.
You are assuming that all change is visibile in the settings or
the part of the behavior you observe.
IE 6 unpatch had flaws in how it sandboxed controls. To say
your assessment is right would be to say that IE7 also has
those flaws.
Since it would be fairly trivial to compare the just-installed
settings zone for zone between the two, and their runtime
initiation behaviors,I must assume you are not asking "am
I correct, that the install defaults are not changed?" but that
you do actually want to compare the safety of the two, i.e.
how effective they are at providing safety.
You are probably correct that, even with introduction of the
new ActiveX Pre-Approved List, the behavior of "download
and go" will not change but that does not mean there are no
changed in how ActiveX controls are handled.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/IETechCol/cols/dnexpie/activex_security.asp
For example, IE 7 claims to handle URL soucing more safely,
and defend against cross-site scripting flaws better. These can
in be used to make ActiveX control not obey the apparent rules
seen in the zone settings. Etc.
http://msdn.microsoft.com/ie/infoindex/default.aspx

--
Roger



Similar ThreadsPosted
ActiveX Control Vulnerability December 26, 2007, 10:22 am
ActiveX Control To Read Certificate (ASP.Net app) November 3, 2005, 4:40 am
ActiveX Control To Read Certificate (ASP.Net app) February 17, 2007, 5:02 pm
IE 6 won't accept signed ActiveX control April 16, 2008, 5:06 pm
ActiveX Security March 22, 2006, 3:35 pm
Cut Security Costs - Access Control June 14, 2008, 1:23 am
Security of Credenitals Stored in Service Control Manager August 17, 2006, 1:37 pm
Security control on option of Inherit from parent the permission e November 5, 2008, 4:09 am
Unlock activeX February 15, 2006, 6:53 am
ActiveX needs to be enabled April 28, 2006, 8:23 am

The site map in XML format XML site map

Contact Us | Privacy Policy