Bugtraq mailing list archives
Re: [New ActiveX security problems in Windows 98 PCs]
From: seanmckay () NETSCAPE NET (McKay)
Date: Mon, 2 Aug 1999 11:56:40 CDT
"David N. Murray" <dmurray () JSBSYSTEMS COM> wrote:
What can computer manufacturers and software companies do about the problem of security holes in pre-installed ActiveX controls? As it turns out, Internet Explorer 5 already offers a great solution. IE5 supports a new feature called HTML applications (or .HTA files). An HTML Application is built like a Web page but can only be loaded and execute from the hard drive. Because an .HTA file comes from the local drive and not the Internet, scripts on the page are a completely trusted and are allowed to use all ActiveX controls installed on a system whether the controls are marked safe or not. For an HTML application, none of its private ActiveX controls have to marked safe for scripting and therefore the controls cannot be misused on Web pages.
I hate to burst your bubble, but .HTA files can come from the Internet. When an IE4 or IE5 browser encounters a .HTA file on the Internet, it prompts with a typical open/save dialog box. If you tell the dialog to open it, it runs on your system with fully trusted permissions (i.e. no security). For an example of a .HTA from the Internet go to... http://msdn.microsoft.com/workshop/essentials/versions/Ie5hta.asp and look for a link on the page with the text: "Here's how this simple HTA looks". McKay ____________________________________________________________________ Get your own FREE, personal Netscape WebMail account today at http://webmail.netscape.com.
Current thread:
- Re: [New ActiveX security problems in Windows 98 PCs] McKay (Aug 02)