Security → Re: ActiveX Changes in IE

R2:

You asked:

said by R2:

---

1. Are most nefarious ActiveX controls using "external data"? Is there anything specifically worrisome for us in the use of external data from a remote source? Cannot ActiveX controls without external data be equally dangerous? (This sounds like more of a lawsuit issue than a user protection issue).

---

A lot of the nefarious ActiveX controls are loaded as extrernal data. Not all of them, but a lot of them. For example, you might remember my favorite test page:

Innovator's of Wrestling
»iowrestling.com/

If you visit there with your "defenses" down, you'll get hit with an endless stream of drive-by-downloads and popups. Most of those will be "extrernal data" -- they're being loaded by the iowrestling.com site from lop.com, xupiter.com, and other places.

Now, there are still plenty of sites that you could hit (or be lured to) where the controls would not be considered external data. So-called "portal potties" would be a good example of this sort of thing. Most folks don't knowingly or willingly visit these kinds of sites, but they often get lured to them or tricked into visiting them.

Another interesting angle is popups: say the iowrestling.com site loads a popup from lop.com and the popup window attempts to load an ActiveX control from lop.com -- will that be considered external data? (You might recall that we wrestled with a similar issue -- 1st party vs. 3rd party -- with IE6's privacy settings when we tested IE6.)

As to whether "external data" is more worrisome -- I think the key consideration here is the default behavior of the new IE6 and what users will see. External data is not in and of itself inherently worrisome -- it's how IE6 handles it and presents options to the user. If you go back and look at my second post in this thread (before I got worried about the NOEXTERNALDATA attribute), you'll see that I was speculating that "spyware pushers" who dig in their heels and don't move to one of these new options for loading ActiveX controls may see the number of users open to their unwanted software decline as people seek to avoid those annoying confirmation boxes. That's all speculation, though.

So, plenty of interesting angles to this one, even though my initial fears now seem to be overblown.

Best,

Eric L. Howes

I could not resist. I had to visit that Wrestling site. Hey, she's kinda cute... OK, back on topic.;)

There is a ton of JavaScript on the site, and a lot of it causes pop-ups -- but, I actually don't see any ActiveX in the Source code.

Here is some of the nasty Script:

<SCRIPT Language="JavaScript" SRC="http://nitrous.exitfuel.com/js/iow1_u.js"></SCRIPT>

<script language="JavaScript">
document.cookie = 'bookmark = anoyeds cool page; expires=' + now + ';'; //no mk1
window.external.AddFavorite(location.href, document.title);
}
// --End Hiding Here -->
</script>

But I don't find an OBJECT tag anywhere.

Now, that certainly could be because the primary site does not contain the ActiveX controls -- only the secondary sites do. And, I suspect that is your 1st-party vs. 3rd-party analogy. Certainly, if a Script loads a secondary page (even if in a Frame), then I suspect that new site is considered a 1st-party HTML page -- and therefore it does NOT have to be concerned about "External Data" or "Remote Sources".

This again demonstrates that any modification in IE because of this lawsuit has VERY LITTLE to do with making the "average user's" browsing experience any more safer...

I wonder if someone has a direct link to a site that has an ActiveX control that does a Browser Hijack or creates the Lop Tool bar??

[text was edited by author 2003-10-08 21:12:48]