Re: [New ActiveX security problems in Windows 98 PCs]

McKay (seanmckayNETSCAPE.NET)
Mon, 2 Aug 1999 11:56:40 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: Malikai: "Re: NT DoS on FW-1 (fwd)"
• Previous message: DeMoNx: "Cisco 675 password nonsense"

"David N. Murray" <dmurrayJSBSYSTEMS.COM> wrote:

> What can computer manufacturers and software companies do about the
> problem
> of security holes in pre-installed ActiveX controls? As it turns out,
> Internet Explorer 5 already offers a great solution. IE5 supports a new
> feature called HTML applications (or .HTA files). An HTML Application
> is
> built like a Web page but can only be loaded and execute from the hard
> drive. Because an .HTA file comes from the local drive and not the
> Internet, scripts on the page are a completely trusted and are allowed
> to
> use all ActiveX controls installed on a system whether the controls are
> marked safe or not. For an HTML application, none of its private
> ActiveX
> controls have to marked safe for scripting and therefore the controls
> cannot
> be misused on Web pages.
>

I hate to burst your bubble, but .HTA files can come from the Internet. When
an IE4 or IE5 browser encounters a .HTA file on the Internet, it prompts with
a typical open/save dialog box.

If you tell the dialog to open it, it runs on your system with fully trusted
permissions (i.e. no security).

For an example of a .HTA from the Internet go to...

http://msdn.microsoft.com/workshop/essentials/versions/Ie5hta.asp

and look for a link on the page with the text:

"Here's how this simple HTA looks".

McKay

____________________________________________________________________
Get your own FREE, personal Netscape WebMail account today at http://webmail.netscape.com.

• Next message: Malikai: "Re: NT DoS on FW-1 (fwd)"
• Previous message: DeMoNx: "Cisco 675 password nonsense"

This archive was generated by hypermail 2.0b3 on Mon Aug 02 1999 - 14:59:06 CDT