You are right. There's NO browser sandbox for ActiveX controls. We know the Porn Dialers problem. Our proactive applications blocked them based on our own sandbox implementation. Only unsigned ActiveX controls can be limited. End users can only approve ActiveX controls signed by a specific signer, if the browser's security setting isn't low. Letting end users make security decisions isn't a good idea. You can ask your boss to try the following demo: www.finjan.com/mcrc/activex.cfm I hope it helps. Regards, Menashe Eliezer Manager, Malicious Code Research Center Web: http://www.finjan.com/mcrc -----Original Message----- From: Jonathan Mole [mailto:jonathanat_private] Sent: Tuesday, March 19, 2002 2:52 PM To: vuln-devat_private Subject: Simple question about ActiveX and IE This is probably a very simple question, with a very simple answer. I am running windows 2000 with all the latest service patches. We have written an interface for Internet terminals (based on the IE6 libraries), we need to allow ActiveX and ActiveX downloading, as the users could be going to any page on the web. My boss is sure that there is a way to allow ActiveX, but to allow it absolutely no access to other files on the system? Could somebody tell me if this is true or not, and if so, what group policies/registry settings do I need to change. I have always believed that there was no sandbox for ActiveX controls, Remember seeing one that checks for various files on your system. The main problem we have is due to Porn Dialers. Once the ActiveX control has run, they add a new connection to dialup networking. Thanks in advance, Jonathan Molando
This archive was generated by hypermail 2b30 : Wed Mar 20 2002 - 21:09:13 PST