Re: IE5 ActiveX security bug

[apendleton () VGSINC COM (Adam H. Pendleton)]

Assuming that this would apply to non-malicious ActiveX controls, I can not
reproduce this condition with IE 5 on Windows NT.  I have set the ActiveX
setting to "Prompt.." and went to http://www.microsoft.com/mscorp/.  The
first time, I selected "Yes", and the virtual tour picture activated.  I
closed IE5, went back to the page, selected no, and it did NOT run.  Even
going back to the page, I was still prompted, and could not get the control
to run again without selecting yes.  Perhaps this is a unique case, or a
caching issue.

Adam

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Si hoc legere scis nimium eruditionis habes.

----- Original Message -----
From: Sami Kuhmonen <feenix () IQS FI>
To: <BUGTRAQ () SECURITYFOCUS COM>
Sent: Sunday, August 01, 1999 2:21 PM
Subject: IE5 ActiveX security bug

> There is a severe bug in Internet Explorer 5's security system concerning
> ActiveX components on web pages.
>
> If you go to a web page that has an evil ActiveX component (for example,
> the component shuts down Windows) and tell IE to run the component, of
> course it runs it. After that you know that you do not want to run that
> component. But what happens when you go to that page later? IE5 asks
> whether you want to run this component or not. Say no, and it still runs
> it!
>
> So all it takes is one little mistake to run the component and it will be
> run every time you go to a page with that component.
>
> And think what will happen, if the component doesn't do its damage the
> first time, but the second time or later. Even if you don't want to run
> it, it will be run. And it might not even be shown on the screen.
>
> --
>  Sami Kuhmonen        | sami () iqs fi | http://feenix.iqs.fi/
>  iQs Partners Finland |  iqs () iqs fi | http://www.iqs.fi/
>   !!Webhotellit ilman avausmaksua!! | http://www.saitti.net/
>  * Tutustu verkkokauppaan!          | http://kauppa.iqs.fi/ *