Developing Safer ActiveX Controls Using the Sitelock Template

Last Friday, Microsoft released a new version of the SiteLock Template for ActiveX Controls. The SiteLock template helps ensure that controls you’ve developed for use on your websites cannot be repurposed and used by other (potentially malicious) websites.

Why use the SiteLock template?
Under the default security model for ActiveX controls, a control is either marked "safe" or "unsafe" for use on any website running inside Internet Explorer. A control that is marked “safe" can be used by any Web page, while a control marked “unsafe” will not run in IE.

The SiteLock Active Template Library (ATL) template enables ActiveX control developers to restrict the use of an ActiveX control to a predetermined list of domain names or security zones. This limits the ability of other Web pages to reuse the control. For example, you can use the SiteLock template to ensure that an ActiveX control developed for use within your Local Intranet cannot be used by pages in the Internet zone. This helps to reduce the attack surface presented by your control-- even if it contains a security flaw, that flaw cannot be exploited by pages on the Internet because your control will refuse to run outside of your Local Intranet.

How it works
The SiteLock Template determines where the control is being hosted and decides if the domain and security zone of the hosting Web page are permitted to run the control. If the hosting domain is not in a pre-selected list of “safe” domain names or security zones, the control declares itself unsafe and Internet Explorer unloads it.

The SiteLock Template replaces the standard ATL template with its own implementation of IObjectSafety, called IObjectSafetySiteLockImpl. It automatically queries the host for the URL of the Web page that is hosting the ActiveX control, extracts the protocol scheme and fully qualified domain name from that URL, and compares it to a list created by the developer at build time to see if the hosting site should be trusted.

In some cases, a control may also have a limited expected lifespan. Once the control’s useful lifespan has elapsed, it will be of no value—except to malicious sites if a security problem is found. Therefore, SiteLock also includes an optional mechanism to automatically “expire” the control after a certain date.

Other Resources
Last month, we blogged about best practices for developing ActiveX updates to help ensure that users of your ActiveX controls are always running the latest version.  

The MSDN article Designing Secure ActiveX Controls provides an overview of the ActiveX security model, what it means for a control to be safe, and other best practices for developing ActiveX controls. You can learn more about IE7 changes to ActiveX support in the MSDN article ActiveX Security: Improvements and Best Practices.

Call to Action
Please help Internet Explorer protect users of your ActiveX controls by incorporating the updated SiteLock Template when developing or updating your ActiveX controls.

Thanks!

EricLaw
Program Manager