Re: How to prevent my information from being accessed by webpages



Ant wrote:

"Todd H." wrote:
"Sebastian G." writes:
The problem is that you can't actually disable ActiveX due to numerous
flaws in IE's implementation.
Yup.

Could either of you give me an example of how disabling it fails or
point to somewhere that discusses it?


Well, three big issues:

- If you instantiate it through a CLSID instead of the interface name (which is actually undocumented as well as invalid HTML), then the COM server is responsible for instantiation. So, in 99% of all cases MSIE is earlier, and applies it policies (means: does not instantiate the control), in the rest 1% the policies are totally bypassed. Even further, on can trigger updates of existing controls, provide old signed controls, and possibly even redirect to arbitrary download locations.

- Aside from the policies, some controls are ultimately trusted and can always be instantiated. Just take a look at the source code of MSIE's internal error webpages...

- Even if instantiation is not attempted at all, just searching for the control has funny side effects. For example, as in Windows 2000 SP3, trying to instantiate the Control TlntSrvClient.TlntSrvEnum triggers the startup of the Telnet Server Service (if installed, and the user logged in as Admin).

But IE has other issues as well, like f.e. boundary errors in the CSS parser.
.