FW: Windows Update - Unsafe ActiveX control (fwd)

From: Dave Ahmad (daat_private)
Date: Thu Jul 17 2003 - 14:44:37 PDT

Next message: Bob LaGarde: "Re: ZH2003-3SA (security advisory): Storefront sql injection: users info disclosure"

Previous message: Todd Sabin: "[VulnWatch] Re: [LSD] Critical security vulnerability in Microsoft Operating Systems"
Next in thread: Cesar: "Re: FW: Windows Update - Unsafe ActiveX control (fwd)"
Reply: Cesar: "Re: FW: Windows Update - Unsafe ActiveX control (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---------- Forwarded message ----------
Date: Thu, 17 Jul 2003 XX:XX:XX
To: Dave Ahmad <daat_private>
Subject: FW: Windows Update - Unsafe ActiveX control

Hi,

I would prefer not to reply to this post directly, but if possible can
you please mention the following (anonymously):

----------
"Safe for Scripting" simply means that the control is safe to be used
from untrusted callers. SFS controls can access files and other
resources if it is in a controlled way (eg, with the consent of the
user). Windows Update is safe because it only allows itself to be hosted
from the Windows Update site. If you try and host the control from
another domain, the control will not work. Since the Windows Update site
only ever uses the control for "good" purposes, and requires the user's
consent to install patches, etc. it is considered "Safe for Scripting".
_All_ ActiveX controls can access memory and registers directly, whether
they are marked as safe or not, since they typically are implemented in
native code ;-)

Windows Update does not require you to run "unsafe" controls;
unfortunately the generic error that appears when you disable scripting
of _safe_ controls makes it sound like there are _unsafe_ controls. If
you enable scripting of "safe" controls then the site should work fine.
If you are concerned about securing the browser, I recommend that you
place Windows Update in the "Trusted Sites" zone and run that in the
"Medium" security mode, and run the rest of the "Internet Zone" in
"High" mode, although this will break a lot of sites.

-----Original Message-----
From: Jackson, Chris [mailto:CJacksonat_private]
Sent: Thursday, 17 July 2003 10:35 AM
To: 'Siddhartha Jain(IT)'; BUGTRAQ@SECURITYFOCUS. COM
Subject: RE: Windows Update - Unsafe ActiveX control

> "An ActiveX control on this page is not safe. Your current security
settings
> prohibit running unsafe controls on this page. As a result, this page
> may not display as intended."
> So Microsoft expects me download critical patches using an unsafe
> ActiveX control??

Safe for Scripting indicates that a control does not access files,
memory, or registers directly. The only purpose of the Windows Update
control is to access (and update) files directly, so it should not be
marked as safe for scripting.

--
Chris Jackson
Software Engineer
Microsoft MVP
--

Next message: Bob LaGarde: "Re: ZH2003-3SA (security advisory): Storefront sql injection: users info disclosure"
Previous message: Todd Sabin: "[VulnWatch] Re: [LSD] Critical security vulnerability in Microsoft Operating Systems"
Next in thread: Cesar: "Re: FW: Windows Update - Unsafe ActiveX control (fwd)"
Reply: Cesar: "Re: FW: Windows Update - Unsafe ActiveX control (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 17 2003 - 14:55:07 PDT