Re: [New ActiveX security problems in Windows 98 PCs]

[seanmckay () NETSCAPE NET (McKay)]

"David N. Murray" <dmurray () JSBSYSTEMS COM> wrote:

> What can computer manufacturers and software companies do about the
> problem
> of security holes in pre-installed ActiveX controls?  As it turns out,
> Internet Explorer 5 already offers a great solution.  IE5 supports a new
> feature called HTML applications (or .HTA files).  An HTML Application
> is
> built like a Web page but can only be loaded and execute from the hard
> drive.  Because an .HTA file comes from the local drive and not the
> Internet, scripts on the page are a completely trusted and are allowed
> to
> use all ActiveX controls installed on a system whether the controls are
> marked safe or not.  For an HTML application, none of its private
> ActiveX
> controls have to marked safe for scripting and therefore the controls
> cannot
> be misused on Web pages.

I hate to burst your bubble, but .HTA files can come from the Internet.  When
an IE4 or IE5 browser encounters a .HTA file on the Internet, it prompts with
a typical open/save dialog box.

If you tell the dialog to open it, it runs on your system with fully trusted
permissions (i.e. no security).

For an example of a .HTA from the Internet go to...

http://msdn.microsoft.com/workshop/essentials/versions/Ie5hta.asp

and look for a link on the page with the text:

"Here's how this simple HTA looks".

McKay

____________________________________________________________________
Get your own FREE, personal Netscape WebMail account today at http://webmail.netscape.com.