[thelist] ActiveX Security (was: disable Flash)

John Dowdell jdowdell at macromedia.com
Tue May 8 18:12:57 CDT 2001

At 10:28 PM 5/7/1, Mark Groen wrote:
> ...change the default setting on Active X controls to Prompt or
> Disable. I have mine set to prompt, and when I hit a site that uses
> either, it opens up a pop up that asks if you want to run this code
> on your machine. On sites that I am not familiar with, I always
> click NO. Active X controls can still run VB script as far as I know,
> and I am not about to let some script kiddies spoil my machine that
> I saved up for months to purchase.

It's good to be careful. There are actually a couple of different issues
here, though:

--  One aspect is to check which ActiveX Controls are already installed on
your machine, and so can be invoked by an HTML page. (New controls will
auto-download, but will not install until you explicitly grant permission.)
    Assuming you haven't already installed strange controls, then it's
reasonable to assume that the default collection with your OS is safe -- if
not, everyone would be vulnerable and you'd hear the news, for sure.
    There's a difference between installing a new control, and using an
existing control.

--  The next question is about which new ActiveX Controls to accept.
Factors here include your familiarity with the maker, your inspection of
the identity certificate, how high-profile the particular ActiveX Control
is, things like this. It may be dangerous to accept strange ActiveX
Controls, but with well-known controls you have a known quantity, which
necessarily need to invest in building a strong sandbox.

--  You also mention control->VBScript communication. The security limits
here are similar to what you'd see in VBScript within an HTML page... the
triggering mechanism would play no role. If you've installed the "scripting
host" extensions (forget the exact name, sorry), then this could confer
file privileges to any HTML page, but this security area would depend on
how you've configured your browser's scripting, not on what a control in a
page may request.

Summary: Well-distributed plugins and controls need to restrict possible
security breaches, or else they won't be well-distributed anymore. You can
prevent installation of new controls without disabling existing controls.


John Dowdell, Macromedia Tech Support, San Francisco CA US
Search technotes: http://www.macromedia.com/support/search/
Offlist email risks capture by the spam filters. I may not see your
email if it's not on the list. Private one-on-one email options are
available via Priority Access: http://www.macromedia.com/support/

More information about the thelist mailing list