The
two most important ideas to understand are ActiveX controls and Internet Explorer
security zones.
ActiveX Controls
Microsoft added ActiveX support to Internet Explorer to give developers the opportunity
to extend the browsing experience. These ???controls??? are just small programs written to
be run from within a container, usually Internet Explorer. ActiveX controls can do just
about anything that the user running them can do, including access the registry or modify
the file system. Yikes! Before Internet Explorer will install and run an ActiveX control,
however, it presents a security warning to the user along with a digital signature from the
control??™s developer. The user then makes a trust decision based on the developer, the
name of the control, and the digital signature. The danger comes when a control is
marked as safe to be scripted by anyone, is signed by a trustworthy corporation, and has
a security vulnerability. When a bad guy finds this vulnerability, he can host a copy of
the ActiveX control on his evil.com web server, build HTML code to instantiate the
ActiveX control, and then lure an unsuspecting user to browse to the web page and
accept the security dialog box. As an example of how ActiveX controls work, the text
below is HTML that instantiates the Adobe Flash ActiveX control to play a movie.
Pages:
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650