RE: Simple question about ActiveX and IE

["Menashe Eliezer" <menashe () finjan com>]

You are right.  There's NO browser sandbox for ActiveX controls.
We know the Porn Dialers problem.  Our proactive applications blocked them
based on our own sandbox implementation.
Only unsigned ActiveX controls can be limited.
End users can only approve ActiveX controls signed by a specific
signer, if the browser's security setting isn't low.
Letting end users make security decisions isn't a good idea.
You can ask your boss to try the following demo:
www.finjan.com/mcrc/activex.cfm

I hope it helps.

Regards,
Menashe Eliezer
Manager, Malicious Code Research Center
Web: http://www.finjan.com/mcrc


-----Original Message-----
From: Jonathan Mole [mailto:jonathan () ukexplorer com]
Sent: Tuesday, March 19, 2002 2:52 PM
To: vuln-dev () securityfocus com
Subject: Simple question about ActiveX and IE


This is probably a very simple question, with a very simple answer.
I am running windows 2000 with all the latest service patches. We have
written an interface for Internet terminals (based on the IE6 libraries), we
need to allow ActiveX and ActiveX downloading, as the users could be going
to any page on the web.
My boss is sure that there is a way to allow ActiveX, but to allow it
absolutely no access to other files on the system? Could somebody tell me if
this is true or not, and if so, what group policies/registry settings do I
need to change. I have always believed that there was no sandbox for ActiveX
controls, Remember seeing one that checks for various files on your system.
The main problem we have is due to Porn Dialers. Once the ActiveX control
has run, they add a new connection to dialup networking.

Thanks in advance,
                 Jonathan Molando