Re: How to prevent my information from being accessed by webpages

"Sebastian G." wrote:

Ant wrote:
Could either of you give me an example of how disabling it fails or
point to somewhere that discusses it?

Well, three big issues:

- If you instantiate it through a CLSID instead of the interface name (which
is actually undocumented as well as invalid HTML), then the COM server is
responsible for instantiation. So, in 99% of all cases MSIE is earlier, and
applies it policies (means: does not instantiate the control), in the rest
1% the policies are totally bypassed.

If this is random it would be difficult to check. I'd like to see a
prooof-of-concept.

Even further, on can trigger updates
of existing controls, provide old signed controls, and possibly even
redirect to arbitrary download locations.

Again, I'd like to see a POC.

- Aside from the policies, some controls are ultimately trusted and can
always be instantiated. Just take a look at the source code of MSIE's
internal error webpages...

Error messages (e.g. 404) don't appear in my IE without OK-ing an
ActiveX prompt.

- Even if instantiation is not attempted at all, just searching for the
control has funny side effects. For example, as in Windows 2000 SP3, trying
to instantiate the Control TlntSrvClient.TlntSrvEnum triggers the startup of
the Telnet Server Service (if installed, and the user logged in as Admin).

I don't know why a search would be made when all automatic object
creation is disallowed in all zones.

But IE has other issues as well, like f.e. boundary errors in the CSS parser.

I'll have to look into this further.


.

Relevant Pages

  • Re: Null pointer exception for events in usercontrols (C#)
    ... > I'm writing user controls with custom events. ... > custom control and add some text boxes, labels, buttons etc... ... > public delegate void PirEventHandler ... The fact is that I never instantiate this object as I ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: How to prevent my information from being accessed by webpages
    ... If you instantiate it through a CLSID instead of the interface name, then the COM server is responsible for instantiation. ... So, in 99% of all cases MSIE is earlier, and applies it policies (means: does not instantiate the control), in the rest 1% the policies are totally bypassed. ... Just take a look at the source code of MSIE's internal error webpages... ...
    (comp.security.misc)
  • CCW/,NET UserControl lifetime question
    ... A CCW is created for IE to instantiate and call methods on this user ... control and every re-rendering of that page (due to user clicking the ... This should further release the sole reference to the .NET usercontrol ...
    (microsoft.public.dotnet.framework.interop)
  • Re: loop througth Literials using foreach!!
    ... If there is a literal control on the page, ... Perhaps you meant you didn't want to declare a ... >I want to loop throught literials so i don't use ... >> In order to get the Literals to work, I had to create them, instantiate ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: ActiveX Control will not instantiate
    ... ISetSite ... why IE will not instantiate an ActiveX control? ... I have written a custom ActiveX control in Visual Basic 6. ...
    (microsoft.public.windows.inetexplorer.ie6.browser)