Confusing GP text can open IE security hole

Confusing GP text can open IE security hole
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Confusing GP text can open IE security hole ThomasMc07 11-13-2007
Posted by =?Utf-8?B?VGhvbWFzTWMwNw==?= on November 13, 2007, 3:11 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
There's an error in the "explain" text for the "Download (un)signed ActiveX
controls" group policy in the IE7 inetres.adm template. Following the
instructions in the text will potentially open a security hole in IE.

It says:

"This policy setting allows you to manage whether users may download signed
ActiveX controls from a page in the zone.

"If you enable this policy, users can download signed controls without user
intervention. If you select Prompt in the drop-down box, users are queried
whether to download controls signed by publishers who aren't trusted. Code
signed by trusted publishers is silently downloaded.

"If you disable the policy setting, signed controls cannot be downloaded.

"If you do not configure this policy setting, users are queried whether to
download controls signed by publishers who aren't trusted. Code signed by
trusted publishers is silently downloaded.


In reality, if you "disable" the policy setting, ActiveX controls can be
downloaded and most likely will, unless another policy prevents it.

It is because disabling the policy setting disables the ability to block
downloads, not the ability to download. To actually block downloads, one must
first enable the policy and then choose disable in the dropdown list.

This is a security issue. Please fix.

Thomas McLeod


Posted by =?Utf-8?B?QW50ZWF1cw==?= on November 19, 2007, 9:12 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Good point, but that is a bit like pointing-out one slightly
larger-than-average hole in a chunk of Emmental.

The wise user downloads a fundamentally more-secure browser, in which case
these issues are largely academic.

"ThomasMc07" wrote:
> This is an (IE) security issue. Please fix.


Similar ThreadsPosted
Security Flaw: Any website can read your clipboard text September 18, 2005, 9:58 am
Re: New IE security hole June 17, 2005, 3:51 pm
Need help plugging a hole in my security October 19, 2005, 10:28 am
Why is a network printer a security hole? March 14, 2008, 7:45 pm
Revealed: The Internet's Biggest Security Hole August 28, 2008, 12:19 pm
Outlook 2007 Read Receipt Security Hole?! September 30, 2008, 8:12 am
User permission to open Open files in Computer Management May 16, 2008, 4:56 am
can't open local security policy July 12, 2005, 11:20 pm
Open File - Security Warning September 16, 2005, 11:47 am
open file-security warning January 5, 2007, 4:58 pm

The site map in XML format XML site map

Contact Us | Privacy Policy