ActiveX control security mechanisms in IE 6.0 vs IE 7.0

TheMSsForum.com: The Microsoft Software Forum

I am currently performing a study regards the effectiveness of security

features introduced in Microsoft Internet Explorer 7.0 for Windows XP.
Among
other things, I am comparing the behavior of the different versions in
regards
how they deal with signed activeX components. It seems like IE 6.0
without any
service packs installed acts identical to IE 7.0: A signed activeX
control is
downloaded after user confirmation and can run without prompt once it
is
downloaded. As such, it seems like no enhanced security features have
been
introduced (or default security settings have been adjusted) between
the two
versions regards signed activeX controls. Am I correct in this
assessment?
Thanks-
Christian
Top

Re: ActiveX control security mechanisms in IE 6.0 vs IE 7.0 by Ze

Ze
Sat Sep 16 16:05:53 CDT 2006

Yes, you are, I believe. I cannot honestly say as I use a Linux and I
only used IE7 for a very short time before I uninstalled Windows, but I
do believe the answer is yes. don't take my word for it, though.
cs5b@yahoo.com wrote:
> I am currently performing a study regards the effectiveness of security
>
> features introduced in Microsoft Internet Explorer 7.0 for Windows XP.
> Among
> other things, I am comparing the behavior of the different versions in
> regards
> how they deal with signed activeX components. It seems like IE 6.0
> without any
> service packs installed acts identical to IE 7.0: A signed activeX
> control is
> downloaded after user confirmation and can run without prompt once it
> is
> downloaded. As such, it seems like no enhanced security features have
> been
> introduced (or default security settings have been adjusted) between
> the two
> versions regards signed activeX controls. Am I correct in this
> assessment?
> Thanks-
> Christian

Top

Re: ActiveX control security mechanisms in IE 6.0 vs IE 7.0 by Roger

Roger
Sat Sep 16 17:22:25 CDT 2006

<cs5b@yahoo.com> wrote in message
news:1158362508.194592.39670@p79g2000cwp.googlegroups.com...
>I am currently performing a study regards the effectiveness
> of security features introduced in Microsoft Internet Explorer
> 7.0 for Windows XP.
> Among other things, I am comparing the behavior of the
> different versions in regards how they deal with signed
> activeX components.
>
> It seems like IE 6.0 without any service packs installed
> acts identical to IE 7.0: A signed activeX control is
> downloaded after user confirmation and can run without
> prompt once it is downloaded. As such, it seems like
> no enhanced security features have been introduced
> (or default security settings have been adjusted) between
> the two versions regards signed activeX controls.
> Am I correct in this assessment?

No. You are incorrect.
You are assuming that all change is visibile in the settings or
the part of the behavior you observe.
IE 6 unpatch had flaws in how it sandboxed controls. To say
your assessment is right would be to say that IE7 also has
those flaws.
Since it would be fairly trivial to compare the just-installed
settings zone for zone between the two, and their runtime
initiation behaviors,I must assume you are not asking "am
I correct, that the install defaults are not changed?" but that
you do actually want to compare the safety of the two, i.e.
how effective they are at providing safety.
You are probably correct that, even with introduction of the
new ActiveX Pre-Approved List, the behavior of "download
and go" will not change but that does not mean there are no
changed in how ActiveX controls are handled.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/IETechCol/cols/dnexpie/activex_security.asp
For example, IE 7 claims to handle URL soucing more safely,
and defend against cross-site scripting flaws better. These can
in be used to make ActiveX control not obey the apparent rules
seen in the zone settings. Etc.
http://msdn.microsoft.com/ie/infoindex/default.aspx

--
Roger


Top