
Not broad enough!
How about kill-bit that disables ActiveX?
This week's Patch Tuesday update was nearly as difficult to digest as a Michael Phelp's breakfast. It contained 11 bulletins covering 26 underlying vulnerabilities, the most in two years. With all this high-calorie content to chew through two important points about the update have gone largely overlooked. Firstly, a promised …
I have no idea what later & greater versions of Windows offer, but Win98 + IE 6 has a setting to disable ActiveX.
Regrettably, I can't tell you just where it's located: IE, control panel, or what. All I can remember is that to fully cut the balls off IE you have to turn off a whole bunch of things of which some are in one place, some in another.
My flabber remains ghasted that MS still insists on ActiveX at all. The technology was fingered as a major security problem when it was still a babe in arms; here we are, a good 10 years later and ActiveX continues to plague us with wet and poopy diapers. So to speak.
If they absolutely have to use ActiveX in the browser, the browser should come with a set of "allow bits" -- a list of the specific ActiveX controls that _are_ allowed. That would be crammed in the Registry just like the current "kill bits", and could be modified by MS updates or 3rd party apps that actually _intend_ to add ActiveX controls to the browser's repertoire.
Allowing the browser to invoke random routines from random installed code just because some hacker with a web page knows its CLSID is insane.
"ActiveX Opt-In automatically disables entire classes of controls—all controls the user has not previously enabled—which greatly reduces the attack surface. This new feature works directly to mitigate the potential misuse of pre-installed controls. Users will now be prompted by the Information Bar before a previously installed, but as yet unused ActiveX control can be accessed. This notification mechanism will provide users the ability to permit or deny access when viewing unfamiliar websites. For malicious websites that attempt automated attacks, ActiveX Opt-In helps protect users by preventing unwanted access and gives the user control. In the event the user does opt to permit loading an ActiveX control, the appropriate control is easily enabled by clicking in the Information Bar."
A step in the right direction I have to agree, but most users will just click the info bar, after all they are just after the content. Do they understand what they do? Have you ever worked help desk? It hurts. Are not all websites unfamiliar the first time round?
Most reg visitors are IT literate, so you preach to the converted here, although not necessarily the wise :-) The average computer user is in an entirely different class altogether... Forgive them <insert deity of choice> for they know not what they do.