ActiveX

Why are we encouraged to block ActiveX from loading?

Victor


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.690 / Virus Database: 451 - Release Date: 5/22/2004

Lionel
Sun May 23 05:22:09 CDT 2004

"Victor Oh" <ohsoonann@hotmail.com> a écrit dans le message de
news:uKc9VeJQEHA.1388@TK2MSFTNGP09.phx.gbl...
> Why are we encouraged to block ActiveX from loading?

Because an ActiveX control are full-blown programs, that can
do anything the user can. This is very useful if you want to display
something that can't be described using only HTML (e.g. PDF
documents, MathML), or if you have to access the user's computer
in some way (think of Windows Update), but it's a security risk in
two ways: if a trusted ActiveX control has a security bug, or if you
install a malicious control, you're giving full control of your user
account to any website you visit.

You should at least disable the installation of unsigned controls
and disable the execution of untrusted controls. (I think it's the
default configuration for IE). To be more secure, you can disable
all ActiveX controls in the Internet zone, and use the trusted zone
for websites for which you want ActiveX controls. Of course it
means that any content provided in this way will not be displayed.

Victor
Sun May 23 05:57:00 CDT 2004

Lionel,

Thank you for your prompt respond.

Victor

"Lionel Fourquaux" <use.reply.to@nospam.invalid> wrote in message
news:uan5T$KQEHA.3596@tk2msftngp13.phx.gbl...
> "Victor Oh" <ohsoonann@hotmail.com> a écrit dans le message de
> news:uKc9VeJQEHA.1388@TK2MSFTNGP09.phx.gbl...
>> Why are we encouraged to block ActiveX from loading?
>
> Because an ActiveX control are full-blown programs, that can
> do anything the user can. This is very useful if you want to display
> something that can't be described using only HTML (e.g. PDF
> documents, MathML), or if you have to access the user's computer
> in some way (think of Windows Update), but it's a security risk in
> two ways: if a trusted ActiveX control has a security bug, or if you
> install a malicious control, you're giving full control of your user
> account to any website you visit.
>
> You should at least disable the installation of unsigned controls
> and disable the execution of untrusted controls. (I think it's the
> default configuration for IE). To be more secure, you can disable
> all ActiveX controls in the Internet zone, and use the trusted zone
> for websites for which you want ActiveX controls. Of course it
> means that any content provided in this way will not be displayed.
>


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.690 / Virus Database: 451 - Release Date: 5/22/2004

hmm
Sun May 23 13:25:46 CDT 2004

Is this how spyware/adware is installed on computers
without users knowing (assuming they already have it set
up in IE to allow unsigned/unsafe ActiveX to downloaded
without prompt)?


>-----Original Message-----
>Because an ActiveX control are full-blown programs, that
>can do anything the user can. This is very useful if you
>want to display something that can't be described using
>only HTML (e.g. PDF documents, MathML), or if you have to
>access the user's computer in some way (think of Windows
>Update), but it's a security risk in two ways: if a
>trusted ActiveX control has a security bug, or if you
>install a malicious control, you're giving full control
>of your user account to any website you visit.
>
>You should at least disable the installation of unsigned
>controls and disable the execution of untrusted controls.
>(I think it's the default configuration for IE). To be
>more secure, you can disable all ActiveX controls in the
>Internet zone, and use the trusted zone for websites for
>which you want ActiveX controls. Of course it means that
>any content provided in this way will not be displayed.

*Vanguard*
Sun May 23 14:59:55 CDT 2004

Lionel Fourquaux said in news:uan5T$KQEHA.3596@tk2msftngp13.phx.gbl:
> "Victor Oh" <ohsoonann@hotmail.com> a écrit dans le message de
> news:uKc9VeJQEHA.1388@TK2MSFTNGP09.phx.gbl...
>> Why are we encouraged to block ActiveX from loading?
>
> Because an ActiveX control are full-blown programs, that can
> do anything the user can. This is very useful if you want to display
> something that can't be described using only HTML (e.g. PDF
> documents, MathML), or if you have to access the user's computer
> in some way (think of Windows Update), but it's a security risk in
> two ways: if a trusted ActiveX control has a security bug, or if you
> install a malicious control, you're giving full control of your user
> account to any website you visit.
>
> You should at least disable the installation of unsigned controls
> and disable the execution of untrusted controls. (I think it's the
> default configuration for IE). To be more secure, you can disable
> all ActiveX controls in the Internet zone, and use the trusted zone
> for websites for which you want ActiveX controls. Of course it
> means that any content provided in this way will not be displayed.

Besides configuring IE to refuse unsigned AX controls, you probably
should also configure IE to prompt for signed AX controls. Otherwise,
you are authorizing any site that has a signed AX control to download it
to you and run on your computer. I also use SpywareGuard as a safety
net but eventually disabled its download protection when I got PopUpCop
which has its XGuard feature. The result is that I get a double prompt
to allow an AX download so it would be nearly impossible for me to
accidentally allow it.

--
____________________________________________________________
*** Post replies to newsgroup. Share with others.
*** Email: domain = ".com" and append "=NEWS=" to Subject.
____________________________________________________________

Lionel
Sun May 23 15:40:34 CDT 2004

hmm <anonymous@discussions.microsoft.com> wrote:
> Is this how spyware/adware is installed on computers
> without users knowing (assuming they already have it set
> up in IE to allow unsigned/unsafe ActiveX to downloaded
> without prompt)?

It's one way it can be done.