Re: IE ActiveX Protection

From: Grimes, Roger (RogerG@GOLDKEYRESORTS.COM)
Date: 08/01/02 

Date:         Wed, 31 Jul 2002 19:14:15 -0400
From: "Grimes, Roger" <RogerG@GOLDKEYRESORTS.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

On a related side note, one of the annoying ActiveX security problems is
that although ActiveX controls often exist outside of IE (download and
run Microsoft's OLE Viewer to see the true scope of controls on your
PC), most ActiveX security options are controlled by IE, and IE-related
settings (configured in IEAK, registry settings, GPO's, etc.).

For example, if I set the "kill bit" on the Adobe Acrobat reader control
(i.e. HKLM\Software\Microsoft\Internet Explorer\ActiveX
Compatability\{CLASSID}\Compatibility Flag=400) so that it should not
launch, the kill bit only applies to PDF files executed
directly/remotely through the browser. If you click on a locally stored
PDF file, Acrobat Reader will open up fine. And this used to not be a
problem but so many exploits now routinely cross IE's Internet/local
security zone barrier that it is a problem.

All of this is to say that I can still launch many restricted controls
even if you restrict them in IE...and even launch them inside of IE.
I'm not sure how my message specifically applies to this particular
situation, but I'm fairly positive it has a direct bearing looking on
where the security is being set. Like most security solutions, don't
assume blocking/restricting always works. It doesn't, and it should be
part of a multi-level defense plan...with the security administrator
knowing that they haven't blocked everything.

Roger A. Grimes

************************************************************************
*Roger A. Grimes, VP of IT for GK/PHR Holding Company
*Gold Key Resorts and Professional Hospitality Resources
*email: rogerg@goldkeyresorts.com
*ph: 757-491-2101 x403
*fax:757-491-6550
*932 Laskin Road, Virginia Beach, VA 23451
*Author of Malicious Mobile Code: Virus Protection for Windows by
O'Reilly
*http://www.oreilly.com/catalog/malmobcode/
************************************************************************

Relevant Pages

  • RE: How does a customer get PCI audited?
    ... BDO Kendalls is a national association of separate partnerships and entities. ... indicator of actual security. ... Security Compliance isn't security, just ... You can be purple in the face with controls and training, ...
    (Security-Basics)
  • Re: a pre-beginners question: what is the pros and cons of .net, compared to ++
    ... > party controls is expensive... ... This is where you end up fighting with the framework; ... LSA in the context of "Local Security Policy"? ... Let's say you want to add a new Anti-Virus service account to all ...
    (microsoft.public.dotnet.general)
  • RE: How does a customer get PCI audited?
    ... indicator of actual security. ... Security Compliance isn't security, just ... You can be purple in the face with controls and training, ... BDO Kendalls Pty. ...
    (Security-Basics)
  • Re: Restricting access to database using forms
    ... I can't really help you much with Access' built-in security, ... forms, controls within forms, reports, etc. ... on OpenArgs, the Controls collection, and ControlType property. ...
    (microsoft.public.access.formscoding)
  • FW: Preliminary Lessons and Thoughts
    ... When we respond by inefficient security, ... The network is not likely to be high on his list of targets. ... infrastructure technology in the world that puts controls intended for the ... TREND MICRO SCANMAIL FOR EXCHANGE 2000 -- SECOND to NONE ...
    (NT-Bugtraq)