Braindump: ActiveX in Windows 8

Note: The “brain dump” series is akin to what the support.microsoft.com team calls “Fast Publish” articles—namely, things that are published quickly, without the usual level of polish, triple-checking, etc. I expect that these posts will contain errors, but I also expect them to be mostly correct. I’m writing these up this way now because they’ve…

7

Brain Dump: Shims, Detours, and other “magic”

Note: The “brain dump” series is akin to what the support.microsoft.com team calls “Fast Publish” articles—namely, things that are published quickly, without the usual level of polish, triple-checking, etc. I expect that these posts will contain errors, but I also expect them to be mostly correct. I’m writing these up this way now because they’ve…

8

Authenticode, HTTPS, and Weak RSA Keys

Over on the Microsoft PKI blog, there’s some important information about upcoming changes for website operators who use HTTPS or deploy Authenticode-signed applications or ActiveX controls. Weak RSA Keys Blocked To briefly summarize the PKI team’s post, a security update coming to Windows 2008, Win7, Windows Vista, Windows 2003, and Windows XP in August 2012…

7

Authenticode and Weak Certificate Chains

Recently, someone attempted to download a deprecated version of the Windows Script debugger. This tool was used to debug scripts prior to the introduction of more powerful, modern tools like those that are built into IE8 and later. The user emailed me when they encountered a very surprising outcome: After clicking the Run button, the…

6

Consent and Browser Refreshes

Modern browser APIs like the GeoLocation API are designed to have an asynchronous consent experience, whereby the API simply will not undertake a privileged action until the user consents. Unfortunately, many browser features like popup windows and ActiveX controls were designed before privilege limitations were introduced, and many websites are designed with the expectation that…

12

Controlling Java in Internet Explorer

Recently, there’s been some interest in how to control the use of Java within Internet Explorer. Java is a unique form of extensibility because it can be invoked in two ways: Using an APPLET element Using an OBJECT element with a CLSID of a JVM These two invocation methods are subject to different security controls,…

3

The Web Browser Control and the Silent Flag

Applications that host the Web Browser Control have the opportunity to set the Silent flag to suppress all dialogs that the web browser control may generate. In some cases, this is useful, because it can help ensure a “quiet” user experience without unexpected popups. Current versions of the .NET Framework expose the Web Browser Control’s…

3

Controlling ActiveX in Internet Explorer

In today’s post, I’ll provide a high-level overview of features in Internet Explorer that impact the loading of ActiveX controls. Internet Explorer 6 and later allow the user to enable or disable ActiveX controls on an individual basis using the Manage Add-ons screen. Internet Explorer 7 introduced the ActiveX Opt-In feature. This feature showed the…

3

Understanding Local Machine Zone Lockdown

Recently, a colleague sent me an email which provided a flashback into my own past: Hey, Eric– Why do we show this when opening HTML locally? What are we protecting the user from? -Ben I myself had sent an email with almost the same text nearly seven years ago, and the surprisingly complicated answer is…

6

Certificate Enrollment from the Browser

Back in Windows XP, an ActiveX control known as XEnroll could be used from the browser to request digital certificates on the client’s behalf. Certificate authorities and others would use this control when a customer purchased a certificate for code signing, server authentication, or other purposes. In Windows Vista, XEnroll was deprecated (and prevented from…

2