Re: How to prevent my information from being accessed by webpages



Ant wrote:

"Todd H." wrote:
"Sebastian G." writes:
The problem is that you can't actually disable ActiveX due to numerous
flaws in IE's implementation.
Yup.

Could either of you give me an example of how disabling it fails or
point to somewhere that discusses it?


Well, three big issues:

- If you instantiate it through a CLSID instead of the interface name (which is actually undocumented as well as invalid HTML), then the COM server is responsible for instantiation. So, in 99% of all cases MSIE is earlier, and applies it policies (means: does not instantiate the control), in the rest 1% the policies are totally bypassed. Even further, on can trigger updates of existing controls, provide old signed controls, and possibly even redirect to arbitrary download locations.

- Aside from the policies, some controls are ultimately trusted and can always be instantiated. Just take a look at the source code of MSIE's internal error webpages...

- Even if instantiation is not attempted at all, just searching for the control has funny side effects. For example, as in Windows 2000 SP3, trying to instantiate the Control TlntSrvClient.TlntSrvEnum triggers the startup of the Telnet Server Service (if installed, and the user logged in as Admin).

But IE has other issues as well, like f.e. boundary errors in the CSS parser.
.



Relevant Pages

  • Re: Null pointer exception for events in usercontrols (C#)
    ... > I'm writing user controls with custom events. ... > custom control and add some text boxes, labels, buttons etc... ... > public delegate void PirEventHandler ... The fact is that I never instantiate this object as I ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: How to prevent my information from being accessed by webpages
    ... If you instantiate it through a CLSID instead of the interface name (which ... 1% the policies are totally bypassed. ... internal error webpages... ... control has funny side effects. ...
    (comp.security.misc)
  • CCW/,NET UserControl lifetime question
    ... A CCW is created for IE to instantiate and call methods on this user ... control and every re-rendering of that page (due to user clicking the ... This should further release the sole reference to the .NET usercontrol ...
    (microsoft.public.dotnet.framework.interop)
  • Re: loop througth Literials using foreach!!
    ... If there is a literal control on the page, ... Perhaps you meant you didn't want to declare a ... >I want to loop throught literials so i don't use ... >> In order to get the Literals to work, I had to create them, instantiate ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: ActiveX Control will not instantiate
    ... ISetSite ... why IE will not instantiate an ActiveX control? ... I have written a custom ActiveX control in Visual Basic 6. ...
    (microsoft.public.windows.inetexplorer.ie6.browser)