Assuming that this would apply to non-malicious ActiveX controls, I can not reproduce this condition with IE 5 on Windows NT. I have set the ActiveX setting to "Prompt.." and went to http://www.microsoft.com/mscorp/. The first time, I selected "Yes", and the virtual tour picture activated. I closed IE5, went back to the page, selected no, and it did NOT run. Even going back to the page, I was still prompted, and could not get the control to run again without selecting yes. Perhaps this is a unique case, or a caching issue. Adam ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Si hoc legere scis nimium eruditionis habes. ----- Original Message ----- From: Sami Kuhmonen <feenixat_private> To: <BUGTRAQat_private> Sent: Sunday, August 01, 1999 2:21 PM Subject: IE5 ActiveX security bug > There is a severe bug in Internet Explorer 5's security system concerning > ActiveX components on web pages. > > If you go to a web page that has an evil ActiveX component (for example, > the component shuts down Windows) and tell IE to run the component, of > course it runs it. After that you know that you do not want to run that > component. But what happens when you go to that page later? IE5 asks > whether you want to run this component or not. Say no, and it still runs > it! > > So all it takes is one little mistake to run the component and it will be > run every time you go to a page with that component. > > And think what will happen, if the component doesn't do its damage the > first time, but the second time or later. Even if you don't want to run > it, it will be run. And it might not even be shown on the screen. > > -- > Sami Kuhmonen | samiat_private | http://feenix.iqs.fi/ > iQs Partners Finland | iqsat_private | http://www.iqs.fi/ > !!Webhotellit ilman avausmaksua!! | http://www.saitti.net/ > * Tutustu verkkokauppaan! | http://kauppa.iqs.fi/ *
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:55:02 PDT