how-to block ads
ActiveX technologies are built using Microsoft's Component Object Model (COM) and have the ability to access everything on your computer, all folders, all files, everything!. ActiveX control and plug-ins can include many things such as web forms, sound and graphics and installation programs. Some of the names associated with ActiveX and benign in nature are Microsoft Windows Media Player, Macromedia Shockwave, RealNetworks RealPlayer.Unfortunately there are forms of ActiveX that some refer to as trojanware and are asociated with names such as Comet Cursor, Xupiter, Gator\Gain, Bonzi....etc. The controls for ActiveX were designed so that you can trust or not trust the person who developed the control. This is done through signatures.
ActiveX controls and plug-ins have a facility for signing by the developer by checking the developer certificate.Digital certificates are electronic credentials that verify an individual's or an organization's identity on the Web. The identity of the digital certificate owner is bound to a pair of electronic keys that can be used to encrypt and sign digital information, assuring that the keys actually belong to the person or organization specified. A valid digital signature, though, does not necessarily mean that the software is without problems. It just means that the software originated from a traceable source that you may choose to trust and that the software has not been tampered with since publication. Likewise, an invalid signature does not prove the software is bad or dangerous, but just alerts users to potential dangers and problems.
• Download unsigned ActiveX controls and plug-ins....Fig 1b Security Warning popup
This option determines whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone.
• Initialize and script ActiveX controls not marked as safe
Many ActiveX Controls are initialized with persistent data, which is either local or remote, and most ActiveX Controls are scriptable (they support a set of methods, events, and properties). Both initialization (with persistent data) and scripting require certain safeguards to ensure that security is not violated.
An example of a control that poses a security risk at initialization time would be a data compression/decompression control. If the user pointed this control to a remote, compressed file that contained a Trojan-horse copy of a system file (such as Kernel.dll) and requested that the control decompress this file, system security could be breached.
An example of a control that poses a security risk at scripting time would be a control that relies on certain system settings before a script can be safely executed. It would be up to the control developer to provide the necessary code that retrieves the system settings before allowing the script to execute.
• Run ActiveX controls and plug-ins....Fig 1d Security Warning popup
Determines whether a Control or Plug-In is allowed to run assuming it has already been downloaded and is on the machine. An example would be if you had already downloaded Windows Media player.
• Script ActiveX controls marked safe for scripting....Fig 1e Security Warning popup
Indicates that it is permissible to invoke the control from a script contained in a web page, using data and parameters provided by that page. In essence, a control marked "safe for scripting" is an assertion by the author that the control has implemented its own "sandbox" and cannot be used by an intruder to damage or compromise your system. Because you must rely on the author of the control to implement this "sandbox" correctly, controls marked as "safe for scripting" require an especially high degree of trust.
While downloading files is an everyday occurence....downloading files from the Internet can be dangerous. Trojan horses love to hide in games and other programs users frequently download from the Internet. Some versions of the popular Whackamole game are actually Trojan horses that install Netbus, which lets hackers take complete remote control of your computer. Letting users download files also makes it easy for malicious users to bring hacker tools into your network (like the password sniffer in L0phtcrack).
•Font download....Fig 2b Security Warning popup
This option determines whether Web pages within the zone can download HTML fonts.
•Microsoft VM....Fig 3 Default Level recommended settings
Microsoft VM (Virtual Machine) is the software in your browser that allows Java Applets to be fully functional.
Your browser displays what HTML code says, but Java goes beyond display and actually executes what the Java says to do. Java is a language that can execute commands to access your files, other computers, even your printer. Because of this, Java must be handled with care. For the novice, recommended settings for your Internet Zone are "High Safety". This will allow Java to function without allowing access to files, printers, or other computers. Additionally, it won't allow any new windows out side of the IE window.
•Miscellaneous Options....Fig 4 Default Level recommended settings
Controls cross-domain data access. Cross-domain data access can open the door to various spoofing attacks.
•Allow META REFRESH
The Meta Refresh setting (tag) enables the author of a Web page to redirect your browser to another Web page after a specified amount of time.
•Display mixed content....Fig 4a Security Warning popup
When you browse to a secure web site(Https\SSL(Secure Sockets Layer) your information that you provide, such as your name or credit-card number, is encrypted so that it can't be viewed by other people. However, that page may also contain items that do not use this secure protocol. This is referring to miscellaneous images or navigation bars, which do not need to be encrypted. All personal information you send and receive should still be encrypted.
•Don't prompt for client certificate selection when no certificates or only one certificate exists
This option specifies whether users are prompted to select a certificate when no trusted certificate or only one trusted certificate has been installed on the computer.
•Drag and drop or copy and paste files
Controls whether users can drag-and-drop files or copy and paste files.
•Installation of desktop items
Controls whether or not users can download and install Active Desktop content.
Feedback received on this FAQ entry: