Bugtraq mailing list archives
Re: Microsoft signed software can be install software without pro mpting users
From: ACR () ALS CO UK (Alan Ramsbottom)
Date: Mon, 21 Feb 2000 22:51:41 -0000
From: "Juan Carlos Garcia Cuartango" <cuartango () teleline es> I have prepared a demo in http://www.angelfire.com/ab/juan123/iengine.html
Which says: "How to close the back door Disable the "Download signed ActiveX" security option". But this solution will also forbid other software manufacturers to offer you their software in the clear way, that is : asking before install. As usual, you can also disable JavaScripting as an alternative to the first solution." Disabling the specific control rather than all component download or jscript might be preferable for some folk. When Juan found the problem with the DHTML Edit control last year, someone from MS intriguingly mentioned "classid revocation" as a means to disable a specific control. We didn't get any useful details at the time, but some info finally surfaced in the MS KB article Q240797. NB: I've only tested this under W2K+IE5 and don't blame me if things break: 1) Run up a registry editor and go to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\ 2) Create a new key based on the CLSID of the Active Setup controls: {6E449683-C509-11CF-AAFA-00AA00B6015C} 3) Under your new key, create the REG_DWORD value: Compatibility Flags 0x00000400 This sets the "kill bit" for the Active Setup control i.e. stops it from being run via IE. This can be reversed by deleting the value or the whole of your new key. PS: Does anyone know the definitions for the other flag bits? -Alan-
Current thread:
- Re: Microsoft signed software can be install software without pro mpting users Alan Ramsbottom (Feb 21)