On a related side note, one of the annoying ActiveX security problems is
that although ActiveX controls often exist outside of IE (download and
run Microsoft's OLE Viewer to see the true scope of controls on your
PC), most ActiveX security options are controlled by IE, and IE-related
settings (configured in IEAK, registry settings, GPO's, etc.).

For example, if I set the "kill bit" on the Adobe Acrobat reader control
(i.e. HKLM\Software\Microsoft\Internet Explorer\ActiveX
Compatability\{CLASSID}\Compatibility Flag=400) so that it should not
launch, the kill bit only applies to PDF files executed
directly/remotely through the browser. If you click on a locally stored
PDF file, Acrobat Reader will open up fine. And this used to not be a
problem but so many exploits now routinely cross IE's Internet/local
security zone barrier that it is a problem.

All of this is to say that I can still launch many restricted controls
even if you restrict them in IE...and even launch them inside of IE.
I'm not sure how my message specifically applies to this particular
situation, but I'm fairly positive it has a direct bearing looking on
where the security is being set. Like most security solutions, don't
assume blocking/restricting always works. It doesn't, and it should be
part of a multi-level defense plan...with the security administrator
knowing that they haven't blocked everything.

Roger A. Grimes

************************************************************************
*Roger A. Grimes, VP of IT for GK/PHR Holding Company
*Gold Key Resorts and Professional Hospitality Resources
*email: rogerggoldkeyresorts.com
*ph: 757-491-2101 x403
*fax:757-491-6550
*932 Laskin Road, Virginia Beach, VA 23451
*Author of Malicious Mobile Code: Virus Protection for Windows by
O'Reilly
*http://www.oreilly.com/catalog/malmobcode/
************************************************************************

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]