It rather involved being on the other side of this airtight hatchway: Local execution


The security response team gets all sorts of reports, and a good number of them are from people who just get excited that they were able to do something unusual, even if it isn't a security vulnerability.

Attached please find a security exploit in the ABC ActiveX control. If you save this Web page to a file and double-click it, it <does something that Web pages shouldn't be allowed to do>.

The security folks study the Web page and discover that it indeed uses the ABC ActiveX control and invokes a method that is not safe from untrusted script, say, delete a file. But the control is marked not safe for scripting. How can script execute it?

More careful study shows that the not safe for scripting attribute is indeed being respected. Copying the page to a Web server and visiting it from Internet Explorer blocks the creation of the ActiveX object, as expected. The only reason the local Web page version works is that you copied the file to your computer and ran it from there. If you do that, it runs in the context of the local computer rather than an untrusted Web server.

When this was pointed out to the person reporting the alleged vulnerability, the explanation was, "That's right. To use this exploit, you have to convince users to save the file to their computer and double-click it. I understand that there is a lot that would have to happen for this exploit to succeed, but it's still possible."

Well, heck, if that's your M.O, then why bother with the Web page? You can do the same thing with a boring executable. "To use this exploit, you simply have to convince users to save the file to their computer and double-click it. I understand that there is a lot that would have to happen for this exploit to succeed, but it's still possible."

Saving the file to the local computer is the step that crossed the security boundary. And that's the step these people just waved their hands at. They're assuming they're on the other side of the airtight hatchway and then proclaiming, "Woo-hoo! I managed to sneak to the other side of the airtight hatchway!"

Comments (68)
  1. Pierre B. says:

    Well, usually I agree with you on these things… but this one is a borderline case that IMO falls on the wrong side of the line.

    I sometimes save web page for later rapid and easy consultation. I don’t expect that HTML will gain extraordinary power and pose a security risk just because I saved it on my computer.

    I think Microsoft should consider wrapping saved web pages the same way they wrap executable saved from the web, with at least a warning when I open it again or, better still, a wrapper that sets the trust level of IE to the same trust level that was in effect when the page was saved.

  2. Name required says:

    Absolutely agree with Pierre. If there’s the possibility of something bad happening off a saved web page (or an html attachment sent via email?) then that’s A Bad Thing.

  3. Rather then argue that a user should reason like a computer, a better case can be made that the computer should reason like the user.

    For eaxmple, build protection into the executable and file system so that the OS "knows" where the file came from and how it got there and limit what it can do accordingly.

    To the user it’s the same file, and she doesn’t need or want to know how or why clicking a file/link makes it appear on the screen. The mechanics of what makes it appear on the screen is an implementation detail. The user expects it to behave correctly in all cases.

  4. Drak says:

    I agree with Raymond; if you bring the horse into your city, it’s your responsibility, not Microsofts.

    Same as executables, I guess.

  5. Bryan says:

    I, as well, strongly disagree that Microsoft should manage our offline content.  I agree with Raymond’s assessment.

    There’s a stark and substantial difference between running a saved webpage (which average users do not do) and running an exe file (which nearly every single user ever to touch the internet has done).

    I think that difference is really important.

  6. Skywing says:

    dalevine: IE and the shell already do this.  That’s why you get the additonal confirmation dialog when initially you try to launch a program that you saved via IE on XPSP2.  (This feature requires NTFS to operate and will not necessarily be visible to programs that do not call upon the shell to launch programs.)

    Ironically, it seems that people frequently bemoan this feature as useless and annoying.  I suppose that you’re damned if you do and damned if you don’t? :)

  7. anonymous says:

    Some suggestions about security boundaries here are utterly stupid. Websites might contain resources likke images, frames, style sheets etc., so when locally saved, the website should be generally able to read local files. For the same reasons, it should be able to request dynamic resources from webservers.

    It can abused this privilege to read arbitrary text files, get their content using .innerHTML, and submit it to a webserver. There’s no way around: Locally saved websites are more powerful, and that’s exactly why one should never open an website from an untristed source from a local storage. Competent user know that and respect that – those who don’t shouldn’t complain, because it’s solely there fault.

  8. I’m kind of on the border with this. Because it’d be pretty easy for an app hosting IE to use it irresponsibly. For example, you could envision a mail application that uses Shdocvw to render an email message that it had saved locally to a temp directory. Now perhaps IE considers the temp directory a danger zone, so I don’t know.

    I just know that IE has come under alot of fire for things that really aren’t "flaws" just things that appear to be dangerous. The problem is we’re (well, not me) struggling to make the web work more and more like the desktop (again) and all we’re really doing is running client apps in more complex configurations inside of an activex host. Time to give up the love affair with web apps and focus on better client-side deployment.

  9. Jess Sightler says:

    I’m not sure who to agree with on this one, as I don’t fully understand how this "exploit" would happen.

    In my experience, IE gives a stern warning and requires you to click through a "this could be unsafe" dialog to run any scripting from a local file.

    Why would this case have been any different?

  10. Andrew Feldstein says:

    But users don’t think of or treat web pages the same as executables–they aren’t "programs" in most most users’s minds.

    The web page attached to an email is a good example.  (An email comes from the internet too, right?)  Why should clicking the link in an email be treated differently than clicking a link in a browser–it’s the same action, just executed from within different programs.

    The sublety of it mattering what program you’re running when you’re performing an action like clicking–which is "safe" in one place and not in the other–is beyond most of us.

    So I vote with Pierre too.

  11. MS says:

    I thought IE now goes nuts on ActiveX from anywhere.  Anyhow, I think this is mitigated by running IE in a serious sandbox, which on XP is doable with the "DropMyRights" app I found on MSDN.  Vista always does it by default now for IE7.  (Even if you’re running as a limited user, you can always clamp down even tighter.  This isn’t limited to IE, mind you, I’ve run IM programs and the much vaunted FireFox in sort of thing.)

  12. Yosi says:

    Raymond is wrong. This is typical for MS to miss a point in security features.

    I never expect web page behave differently just because I saved it on my local disk. Raymond’s explanation is complete WTF.

  13. mcarbenay says:

    Errr… isn’t IE already lowering the trust level of some types of local web pages ? For example, when I look to a xml file from my computer, IE blocks the javascript of the default style (which is quite annoying…).

    Doesn’t IE do the same for a scripting-unsafe activeX control ?

  14. Mike Dimmick says:

    Wow, lots of you asking for a feature that already exists. It’s called ‘Mark Of The Web’. When you save this page in IE, it adds a comment to the top of the page saying

    <!– saved from url=(0055)http://blogs.msdn.com/oldnewthing/comments/5788080.aspx –>

    When you open the saved file in IE, it uses this information to compute which zone the page was in. Try it: watch the zone indicator in the bottom-right corner. Save this page, reopen it, and you’ll see that you’re still in the Internet zone. IE applies the security settings from the correct zone and therefore won’t initialize something not marked safe-for-scripting. So just saving the page will not allow the security barrier to be breached.

    Mark Of The Web has been in IE since version 4.0 according to http://msdn2.microsoft.com/en-us/library/ms537628.aspx. IE 6.0 SP2 (in XP SP2) adds support for it to Multipart HTML (.mht) files, which store a web page and the images and scripts it refers to as a single file.

    IE6 SP2 added Local Machine Lockdown which turns off all scripting support, but this feature can be turned off and often is by web developers. This was added as a mitigation for a lot of attacks which forced the browser into the Local Machine zone. If you want to force your page running from a file URL into a different zone you can add a MOTW to the page.

  15. Leo Davidson says:

    Perhaps one solution is for web browsers to have a "Save an Sanitise" command which strips out scripts and so on before saving a basic version of the rendered page to disk. Most of the time when I save a webpage I just want to be able to read what’s on the screen later without worrying whether the web server/page is still up or running slowly and this would solve that problem while removing all risks. (I’d be happy with a big "screenshot" of the page provided I could copy & paste text from it.)

    I’m a technical user but I never thought about this before and have saved and later double-clicked lots of web pages without realising the risk. It’s obvious now that it has been pointed out, of course, but I bet many people don’t realise it.

    HTML seems fairly unique in this context. If you download a JPEG or an MP3 and double-click it later then it’s treated as data, not code, and is harmless (unless there’s a buffer-overflow bug in the program handling the data). HTML feels like data to most people most of the time but obviously can contain code/scripts.

    I think, as other people have said, IE7 does warn about ActiveX objects for local HTML files, though. I have to click a pop-up every time I test a local copy of a page of mine which uses Flash.

  16. Mihai says:

    For most people a web page is not an application.

    And MS is the only one running executables from a web page. If I save a web page from Firefox and view it later, nothing happens.

    ActiveX was a bad idea, still is, and MS is the only one implementing it.

    [Shhh, don’t tell anyone that Firefox can run Flash. -Raymond]
  17. Dewi Morgan says:

    Well if stuff in the cache counts as "on the local computer" then clicking the "work offline" button would expose the user to risk.

    But I doubt the designers would be daft enough to treat cached or saved-for-offline-use stuff as "local" – they surely are run with remote permissions, just cached locally.

    But is you asked a thousant users "is a web page an executable? Is a word document?" the majority would say "no". So any of you using that term to describe what the users are doing here should think long and hard whether you are using the clearest definition, before trying to advise users.

    For a lovely few years in the 90s there was a time where the distinction between "executable" and "document" was relevant. Then macro viruses burst forth, and the "don’t trust executables" line became a nonsense.

    If it’s true that MS wraps downloaded executable content, but not web pages or doc files, then it would seem that MS has provided an airtight hatchway against only some filetypes, and against others, it’s provided a decidedly leaky one.

    IE, if I remember correctly, modifies saved HTML with some kind of a saved-from line. The files should, one expects, run under the context of the host listed in that line.

  18. Rich Elison says:

    ActiveX was a bad idea? Why? I can think of a bunch of instances where COM and ActiveX were perfect solutions to the problems we had to solve. So is it really that ActiveX/COM was/is bad? Or is it that you really have no idea what the technology is and just figured you’d jump on the ActiveX sucks bandwagon? Could you maybe offer some explanation as to what part of ActiveX sucks so some of us could learn something. Because as it stands your post was, still is, a waste of space.

  19. JD says:

    Yosi:  what is a ‘web page’?  

    • is a .txt file on a server a ‘web page’?  
    • is a .swf file on the local drive a ‘web page’?

    • is an .exe a ‘web page’ if it makes http requests?  

    Is it a WTF to allow any of these to be accessed under full trust? If so, which one(s)?

    Security is nice, but at some point, the user’s expert knowledge is an undeniable necessity.  The day that no user can corrupt a machine through careless use is the day that all actual software will become completely useless.

    We need to teach users better, get out of their way as much as possible, and never attempt to think it’s a good thing to dumb them down.  There will always be malicious code available somewhere – why should it be 100% our responsiblity to prevent it running – surely responsibility falls on the user at some point?

    There are always going to be pick-pockets and purse-snatchers in the city…should citizens be taught to expect that they can walk around as if there weren’t any?  If someone told me they believed that – well, now THAT would be a WTF.

  20. Dave says:

    Pierre B: "I think Microsoft should consider wrapping saved web pages the same way they wrap executable saved from the web, with at least a warning when I open it again or, better still, a wrapper that sets the trust level of IE to the same trust level that was in effect when the page was saved."

    You’re in luck! Microsoft recently obtained a time machine and has implemented the functionality you requested starting in IE6 on Windows XP SP2.

    When you save a file to your local disk from IE, it gets a "mark of the web" keeping it in the security zone from which it was saved. (Google if you’ve never heard of this.)

    If you strip that MoTW out, IE goes into the Local Machine Lockdown zone, which doesn’t permit most ActiveX to run without the user prompt Raymond mentions. If you click through the prompts warning about dangerous access, it will grant you dangerous access. If this occurs and your computer is harmed, send a message to time-machine@microsoft.com and ask them to go back and prevent you from clicking the OK button.

  21. Sergey says:

    BTW: It reminds me of mandatory access control, when you can not save file from higher security level to lover.

  22. Skywing says:

    Java applets are not comparable to ActiveX controls.  Flash applets are compatible to ActiveX controls.  If you are tempted to make this comparison between ActiveX and Java (or Flash, or any of othe other enhanced scripting / programming languages for browsers that require native browser extensions to support them), then you are misunderstanding the technology.

    ActiveX controls are intended to be used to implement things like a Java plugin, a Flash plugin, and soforth.  They are analogous to the similar sort of browser plugins/extensions that implement this sort of functionality on alternative browsers, such as Firefox.

  23. Triangle says:

    This post by Larry Osterman exactly describes whats going on here: http://blogs.msdn.com/larryosterman/archive/2006/02/02/523259.aspx

    The windows security model is exactly like a firewall: All good and great until someone manages to break through it. And decade of email attachment "exploits" demonstrates just how easy breaking through it is. Windows essentially has no security in depth.

  24. Gazpacho says:

    If someone is naive enough that they don’t wonder why they’re being asked to save a web page and open it later…

    what are the chances that they’d be able to?

  25. Mike Diack says:

    Having been an Active X/COM and DCOM (ugh!) programmer for 8 years now, you might expect me to be a fan of it. But I agree with the bulk of the people here.

    Having used it, seen how difficult, insecure and non robust it is both to develop for and use/deployment, it’s a truly dreadful technology, which I truly wish everyone would stop using.

    Just as an example of how weak it (and it’s relative: Flash is), I was sent a Excel spreadsheet today – which had (apparently) a flash applet saved in the file for playing “cat bowling”. I mean WTF and also what a howling security hole.

    Let’s get back to basic’s:

    1) When did some idiot decide that spreadsheets shouldn’t just host numeric data and formulae?

    Analogously.

    2) The same for web pages….

    Need I go on…

    Mike

    [Hate to tell you this, but spreadsheets aren’t for hosting numeric data and formulae any more. They’re mostly used as ad hoc databases. -Raymond]
  26. Gazpacho says:

    <<"Save an Sanitise" command>>

    Aside from the "mark of the web" feature already mentioned, do you realize that you’ve just asked Microsoft to solve the Halting Problem?

  27. Triangle says:

    Wednesday, October 31, 2007 5:20 PM by Gazpacho

    <<"Save an Sanitise" command>>

    Aside from the "mark of the web" feature already mentioned, do you realize that you’ve just asked Microsoft to solve the Halting Problem?

    They have the best programmers in the world, they should be able to :)

  28. mikeb says:

    > do you realize that you’ve just asked Microsoft to solve the Halting Problem?

    While stripping out scripts and objects when saving a web page might make the resulting page useless (but then again, the resulting page might still be useful), it’s hardly close to the Halting Problem.  I imagine it’s about as complex as Outlook not displaying remote content in email messages by default.

  29. Leo Davidson says:

    mikeb, exactly.

    I’m not asking them to analyse the scripts to see if they’re safe (although doing so is still possible, that’s what anti-virus does and it hasn’t solved the halting problem either).

    Rather, I am suggesting that scripts be stripped completely, whether safe or unsafe. All I want is to save the current text, images and layout of what is on screen so that I can open it up again as it is. If I can’t click on certain things anymore, because they had scripts behind them, I don’t care because all I want is to be able to read what was on the screen again at a later date.

    I am also not proposing that the existing Save function be removed as sometimes you want/need the "unsafe" full copy of the page.

  30. anonymous says:

    Websites aren’t programs, but they can contain script code. This code is restricted, and the restriction is determined by the source domain. If you save it locally, then you have assigned it a new domain with more privileges, and you should account for that.

    But claiming that you can’t expect such a change is ridiculous. As a user of a webbrowser, you should have informed yourself about the cross-domain security model.

    Yes, you can generally limit the local file domain too, but not without breaking important functionality (like including locally saved resources).

    If you don’t want such scripts to run, use an editor to remove the scripts. Or do it programmatically automated. Or at least check the scripts. Or disable local scripts (which might already break something). A classical show-but-don’t execute scripts application is OpenOffice.

    As for Firefox: It treats all scripts from local resources as unprivileged as any other scripts. But it still allows to load local source file and access their contents, since they’re from the same domain (file:).

    At any rate, you shouldn’t discuss MSIE in that context. You can always trivially exploit from any context by simply using one the the at least five known unpatched buffer overflow vulnerabilities (that Microsoft has been informed some years ago but decided to not do anything). Not to mention the ability to instantiate arbitrary ActiveX controls in violation of the policy (because it’s totally broken and sometimes doesn’t work), and cross-site scripting is an inherent design feature (that was tried to loosy limited by blacklisting some functions).

    Same for ActiveX: If half of Windows consists of COM Controls, each of them can be instantiated from IE (which is broken anyway) and accepts untrusted parameters. You’d have to check every of them for every possible scenario, and surely you can’t. That’s why ActiveX is such a bad idea.

    Regarding .NET: Where’s the sandbox? Surely Microsoft wishes one to be there, but it’s well known that with .NET 1.1 (and the implemented backward compatibility in .NET 2.0+) you can make unsafe code (marked as safe) bypass the verifier and then access arbitrary memory locations. And not mention that the entire security subsystem of the class library is full of reference protection failures which allow Time-of-check-till-Time-of-use attacks against various Permission objects.

    Vista’s IE Protected Mode: You can easily break out of it if you’re patient. Michael Howard has extensively discussed this (f.e. by shared objects in the gloabl namespace), and it has been pointed out multiple times that this Protected Mode thing doesn’t create any new security boundary.

  31. Gazpacho says:

    "2) The same for web pages…."

    I think it happened while you were sleeping under the rock.

  32. DEngh says:

    I agree with Raymond.  If we want computers to be generalist machines, they have to be able to *do things* without being hamstrung trying to interpret human intent.  *People* have a hard time with that.

    If you give enough people enough rope, some will hang themselves.  It doesn’t mean Rope Is Bad, it means People Should Know Rope Can Be Used For Hanging.  No one expects the rope to know what it’s doing is bad for someone.

  33. MS says:

    "1) When did some idiot decide that spreadsheets shouldn’t just host numeric data and formulae?"

    Conditional processing is a very potent tool in a spreadsheet, and even not abusing Excel as a DB per se.  I can think of a D20 character creator that allowed you to build a very complete DnD character.  There going to be many more (and less geeky) examples for sure, but its the one I know of first hand.

    "I don’t care because all I want is to be able to read what was on the screen again at a later date"

    YOU don’t care, but a lot of other people just might.  Moreover, I’ve seen and used several pages that use scripting to help determine layout and so on.

    "Windows essentially has no security in depth."

    Except when it does.  If you’re running as a limited user, (which Vista forces) that is a huge gain.  System hijacking is a lot harder to do without system/admin priviledges.  Sure, all of the users files are vulnerable here, but the system isn’t going to get completely hosed.  While you can break out of some of the sandboxes as somebody else said, it just raises the bar that much more.  Every extra hoop you force a virus writer to jump through makes it that much harder for them.  (Yes, a lot of code in the virus world is shared, but it still increases the difficulty)

    Maybe I should dust off that old OS I wrote for school and sell it.  It’s completely secure!  Mostly because it has an utterly fake TCP/IP implementation and didn’t run much beyond itself.  Hard to hurt something that is so autistic (to borrow the idea from GitS).

  34. Triangle says:

    > If you’re running as a limited user, (which Vista forces) that is a huge gain.  System hijacking is a lot harder to do without system/admin priviledges.  Sure, all of the users files are vulnerable here, but the system isn’t going to get completely hosed.

    I don’t know about you, but isn’t something I would consider secure. It also buries anybody who wants to reconfigure parts of their system (Such as %ProgramFiles%) in elevation prompts. Locking off system files from applications shows that there is some hope for windows security, but making it harder for users to do certain things is a huge step back.

    This is pretty offtopic isn’t it

    [Not just off topic, but actually an old topic. -Raymond]
  35. Sergey says:

    >> Raymond is wrong. This is typical for MS to miss a point in security features.

    Agree

    >> For most people a web page is not an application.

    The *right thing* here is not to save to file system content which is considered dangerous by security subsystem. Just block it for all levels which lie above security subsystem.

    Same as antivirus blocks infected files for all processes and actions and not only explorer.exe and ‘launch’ action. You can’t even read infected file. It is blocked. So blocked content have to be unavailable to all parts of IE (for instance one which saves pages to disk) and not only to part which draws things on screen.

  36. BryanK says:

    ActiveX is bad because there’s only a minimal sandbox around it (at least in IE <=6).  Java applets are comparable to ActiveX controls (well, mostly — I’m not sure if you can interact with a Java applet from JS code on the page, but I suspect you can), but they don’t have as many of the security implications, because there’s a strict limit on what actions an applet can take.

    But ActiveX controls can do anything at all, because there’s no runtime to limit them.  Java can do its sandbox (as can .net) because the runtime has to translate the applet into real code, and it can analyze the bytecode to see whether it performs any action that isn’t on the whitelist of allowed-applet-actions.  Without that interpreter layer, ActiveX code can do anything, because at its core it’s directly-executable x86 opcodes.

    Of course ActiveX *needs* to be able to do absolutely anything, because it’s used for windows update.  ("Full system access?  Run setup programs that replace core system DLLs?  Sure!")  But that makes it inherently less secure than a browser plugin with an explicit sandbox.

    (And it’s not like Microsoft can change IE to use a sandbox for everything except the WU control, either.  Even apart from backwards compatibility concerns, they’d get hit by a ton of monopoly conspiracies.  It would have to be a sandbox for everything, or a sandbox for nothing, and the back-compat stuff at this point means it’s a sandbox for nothing.  Except controls that opt-in to a few restrictions via "safe for scripting" bits, etc.)

  37. Skywing says:

    Sorry, that should read "Flash applets are *not* comparable to ActiveX controls".  Fingers not typing the correct thing today :-(

  38. Dave says:

    > BryanK: "But ActiveX controls can do anything at all, because there’s no runtime to limit them."

    There’s a whole *operating system* of runtime to limit them. The problem is that binary executable code running with full system privileges can do anything it wants. Look at Vista’s IE Protected Mode–how can ActiveX controls can do "whatever they want" when they don’t even have write access to most of the disk?

  39. Brian says:

    "But claiming that you can’t expect such a change is ridiculous. As a user of a webbrowser, you should have informed yourself about the cross-domain security model."

    That’s when I stopped reading.  This poster has obviously not spent any time with actual users.

  40. Mike Diack says:

    That said, Raymond is right. Sadly I know many data files now host "inappropriate" stuff. I’m still of the old school mind though when he says:

    "[Hate to tell you this, but spreadsheets aren’t for hosting numeric data and formulae any more. They’re mostly used as ad hoc databases. -Raymond]"

    But don’t get me wrong, while I dislike COM, MS is absolutely right, about the greatness of being a limited user. The number of people I meet who moan about Windows being insecure, until I show them the benefits of running as a limited user….

    If I had a quid for every time….

    Mike

  41. JD says:

    "That’s when I stopped reading.  This poster has obviously not spent any time with actual users."

    I suppose you mean the ones who think that once they’re on the internet there is indeed a free lunch…and free pics of Paris Hilton, with no strings attached?  Imho, too many users apparently have an idiot-switch that’s hard-wired to the green light on their DSL router – completely rational in ‘real’ life, yet ridiculously naive on the net.  And…I don’t see how this is our problem.

    In my online experience, I’ve gone from ME to XP to Vista with only the firewall in my router standing between my machines and certain doom…no anti-malware stuff at all. I’ve always run as admin, my machine has been online 24/7, my browser has been IE, and my email client has been some flavor of Outlook. You want to know how many viruses/etc. I’ve dealt with?  

    ZERO.  

    So why haven’t I been blasted?  Basically, it’s because I use the internet to get things done, and I know every link that looks too good to be true is exactly that.  Yet, I personally know otherwise-intelligent adult people who couldn’t go for 5 minutes on a setup like mine without having the machine completely locked up on malware – all because they suffer from the notion that the net is some magical place where you get stuff for free.

    In the end, is this really a software problem?  I think not.  But it is no matter…Computer Security at this point in time could easily be seen by an outside observer to be a de facto religion, complete with all the dogma and legalism which generally accompanies such.

  42. Leo Davidson says:

    …and yes it might break the handful of pages that use script for important layout but none of the Save-Page-To-Disk methods are immune from breaking things and a Save-and-Sanitise option would be very useful to me and, I suspect, many other people.

    So just because YOU don’t care, a lot of other people just might.

  43. Stephen Jones says:

    I find Microsoft’s pseudo-security highly irritating. It’s basically CYA. "Look we sent you a warning! It’s not our fault you ignored it because we send you so many other useless warnings that you’ve stopped taking any notice of them."

    What is indefensible are the hoops you have to go through to disable the crap MS legal department has dreamed up. To actually stop IE from giving you the idiot message that it has blocked (horror!) Javascript on a web page stored locally. First you have to spend up to an hour Googling and searching the knowledge base. Then you have to do a registry hack, but apparently you have to log on and log off for it to have effect so in practise you keep unsecuring other settings because you weren’t told to reboot.

    I write language learning software. The standard platform is a web page with Javascript (the alternative is Flash). If I wanted to distribute the files on CD to save the university bandwidth I presumably would have to integrate Firefox in the DVD to stop the whole experience being a Microsoft sabotaged nightmare.

  44. KenW says:

    Yosi: "I never expect web page behave differently just because I saved it on my local disk. Raymond’s explanation is complete WTF."

    No, it’s not, and you’re a fool if you don’t expect something to behave differently when run on your local machine than it does when it’s run across the internet. If you don’t understand that (and why that’s the case), you have no business being around computers, and definitely have no business spending time on blogs about software development and operating systems.

  45. KenW says:

    Leo: "I’m a technical user but I never thought about this before and have saved and later double-clicked lots of web pages without realising the risk. It’s obvious now that it has been pointed out, of course, but I bet many people don’t realise it."

    But your not realizing the risk doesn’t make sense. Why else would IE have supported different security levels for years now, if it didn’t make a difference somehow. Common sense should tell you that, shouldn’t it?

  46. Thom says:

    "Rather, I am suggesting that scripts be stripped completely, whether safe or unsafe. All I want is to save the current text, images and layout of what is on screen so that I can open it up again as it is. If I can’t click on certain things anymore, because they had scripts behind them, I don’t care because all I want is to be able to read what was on the screen again at a later date."

    So what you want is for Internet Explorer to add a "Save as Bitmap" option!?  Perfectly safe.  All formatted and readable just as it was when you viewed it.  

  47. Triangle says:

    But your not realizing the risk doesn’t make sense. Why else would IE have supported different security levels for years now, if it didn’t make a difference somehow. Common sense should tell you that, shouldn’t it?

    And common sense should tell you that the web page should be given permissions based on where it was generated, not based on wether or not its on the local disk.

  48. Stephen Jones says:

    Checking up on this there is a setting to allow everything to run. Just found it in Advanced | Security.

    MS certainly don’t like to tell you about it though. The tech net article on Local Machine Lockdown doesn’t even mention the settings (maybe they only exist in IE7 and the article was written before it came out). When I checked up on it for the work machine some time ago I only got the registry hack.

    MS made two bad decisions:

    The first was to make Administrator the default logon instead of limited user. There were good reasons for this as the noise about UAC shows but MS was right about UAC and all the procrastination has done is give us both UAC and the present mess up with useless security warnings.

    The second was to tie IE in with the OS. There is no excuse for this. It was done at the behest of the legal team in the hope it would allow them to wriggle out of the DOJ lawsuit; not only did it not do that, it has been creating problems ever since.

  49. Stephen Jones says:

    —-And common sense should tell you that the web page should be given permissions based on where it was generated, not based on wether or not its on the local disk""—–

    If the web page developer knows about the restrictions he can ensure that by putting in the Mark as Web comment. If it comes from a trusted zone web site than it will be treated as such.

    If the question is just getting Javascript and displayed then the comment <!– saved from url=(0013)about:internet –> will allow it as it gives the file standard internet permissions. The problem comes if you copy a whole CD of web files over to the hard disk. The links will no longer work because the files that are linked to are on the hard disk and for obvious reasons web pages on the internet are not allowed to access files on the local hard disk.

    The alternative of renaming the files from .htm to hta. means that not only do you have to rename every file, which can probably be done as a batch file, but worse, you have to then open every file and go through the source code manually to rename every link to a local file to .hta Ouch! I think I’m definitely going to be bundling firefox.

  50. Stephen Jones says:

    It appears my last comment on hta was wrong. Once you have hta appearing once then all the other links will open in that window.

    Still doesn’t solve the problems of pop-up windows though.

    And here’s a link to prove there are a lot of other people annoyed and even financially hit by the matter.

    http://www.phdcc.com/xpsp2.htm

    Still, at least MS security makes work for all those programmers who live off making utilities that circumvent it!

  51. anonymous says:

    JD, you’re much more stupid than you claim. The thing that let you not getting infected was PURE LUCK. It just takes one guy to make up a bogus company, buy some adspace from Yahoo, you ivisintg Yahoo and you’re hosed. We’ve already seen many such bad guys doing exactly that.

    There isn’t such a thing like good websites and bad websites, they’re all bad as soon as they include third-party content, what almost all websites do.

    And with MSIE, no security setting could save you from that. By design. Ask Microsoft why they still advertises IE as a webbrowser, whereas in fact it’s an unrestricted and unrestrictable shell.

  52. Mihai says:

    “Shhh, don’t tell anyone that Firefox can run Flash. -Raymond”

    A SWF file is not an executable. It is byte code, with a very tight security sandbox (like a Java applet). So it cannot even read a file, much less format your disk, the way an ActiveX control does.

    The Flash runtime itself is executable, but you have to actively install it. It does not install itself.

    So no, it is far from being the same.

    I would expect a regular user to be confused by this, but from you… sounds like trying to confuse others.

    [I was responding to the claim that nobody else “run[s] executables from a Web page.” Flash is an executable. (I’m going to ignore the distinction between DLL and executable since the original author did too.) -Raymond]
  53. Mihai says:

    For those that bring Vista protected mode: this does not make ActiveX a good idea. At the time when ActiveX was created, Vista was far away, and everybody was Administrator.

    And saving something on my disk does not make it safe. This is why a Flash file (.swf) has no more rights if running from my disk that it does in the web page (in fact, it has less).

  54. Leo Davidson says:

    Reply to MS:

    "YOU don’t care, but a lot of other people just might."

    FFS, I suggested an *option* not a *replacement* so view it as such. :-(

  55. Leo Davidson says:

    "But your not realizing the risk doesn’t make sense. Why else would IE have supported different security levels for years now, if it didn’t make a difference somehow. Common sense should tell you that, shouldn’t it?"

    Because, as I said, I simply had not thought about it. As I also said, it is obvious if you do think about it and put the pieces together. The point I was trying to make was that people don’t always do that, even technical people like myself and many of the others posting here. Saving something on the screen to disk to look at later feels like such an innocent operation — it’s a document, a data file, I’m just saving it to disk and later I’m going to view exactly the same thing — that it isn’t something many people think about.

    Of course it isn’t REALLY just a document or a data file; it can contain code which can do very bad things, but I believe it’s easy for people not to realise that. This is backed up by some of the other people posting here, not to mention the fact that IE7 disables local files from launching Flash and other ActiveX controls until you click a warning.

    I suspect people who have not delved around in IE’s security configuration or done any web development are not even aware that IE has different security settings for different sources. Indeed, why does it, really? I can understand more and less trusted websites but why should HTML that happens to be on my local HDD be more trusted than something else, given that saving something to the HDD does not require admin rights or produce any warnings?

    "So what you want is for Internet Explorer to add a "Save as Bitmap" option!?  Perfectly safe.  All formatted and readable just as it was when you viewed it."

    Yes, well, almost. I still want to be able to copy & paste text from the page and I’d ideally like to be able to click on standard links. (I don’t care if javascript links are broken.) I’d also like it to resize the layout when I resize the window (again assuming javascript was not used for layout, which is rare).

  56. Pierre B. says:

    What is hilarious is that Dave pointed out that what I requested is already implemented, and yet people are still saying it’s a stupid idea.

    What is saddening is that in 2007, some are still blaming the end-users for not recognizing security risks. I sure hope I will never use your products.

  57. Mihai says:

    “I was responding to the claim that nobody else “run[s] executables from a Web page.” Flash is an executable.”

    But you don’t run the Flash player executable from a web page. You install it. And it cannot be done without the user accepting it.

    The only thing you “run from a web page” is a .swf, which is not an executable, it is “interpreted” in a very tight sandbox with almost zero access to the file system.

    With ActiveX you effectively run an application with access to native API written by a random Joe.

    The same applies to Java.

    [“But you don’t run the Flash player executable from a web page. You install it. And it cannot be done without the user accepting it.” So what’s the difference then? In both cases, you install a plug-in after the user grants permission. That plug-in has access to the native API. -Raymond]
  58. anomymous says:

    Raymond, you’re obviously ignoring that about half of Windows is implemented as COM modules. Each of them can be sinatntiated. So the problem about ActiveX is not running any new controls, but exploiting a huge amaount of existing ones.

    A second, obvious difference is that, if a malicious websites doesn’t want the user to be asked, it can install its ActiveX control wihtout asking for permissions. This exploit has even been taken so far to getting documented as the standard way to embed ActiveX control!

    [I’m pretty sure that an ActiveX control being installed and run without user permission would be considered a serious vulnerability. Have you reported it? -Raymond]
  59. anonymous says:

    And as the third issue: An ActiveX control doesn’t know anything about its security context. It it shall write into files as part of an application, it can do so as well if embedded in a webpage. If you remove all such functionality, it effectvely becomes unusable as portable part or an application.

  60. Mihai says:

    “So what’s the difference then? In both cases, you install a plug-in after the user grants permission.”

    The difference is that an ActiveX runs without asking the user, without being installed, and can originate from any web site (at least with the default settings in older versions of IE).

    [I think it’s disingenuous to call up as examples things that aren’t true any more. -Raymond]
  61. anonymous says:

    “I’m pretty sure that an ActiveX control being installed and run without user permission would be considered a serious vulnerability. Have you reported it?”

    Sure I have reported it, but it’s not a security vulnerability since IE is documented to be not secure in hosile environment, thus security was never specified at all.

    The vulnerability is not use to Interface name (like WMPlayer.WMPlayer.1 for the WMP ActiveX control), but to use a invalid pseudo-protocl “clsid” as a  syntax “clsid:{GUID of the control}”. In this case, the DDE Server does the instantiation instead of IE, bypassing IE’s policy and potentially triggering unrequested installation of new controls and/or updates of existing controls.

    No to mention the side effects of instantiation. TlntSrv.TlntSrvEnum for example,  triggered,, when the user had sufficient privileges, the startup of the Telnet Server Service (if installed) on Windows 2000 SP3.

    [Sure, you can instantiate a local server, but then what? The server runs and then says “Sorry, I’m not an ActiveX control.” Not sure how anything got installed. -Raymond]
  62. Mike Dimmick says:

    Security zones and the safe for scripting/safe for initialization categories were introduced in IE 3.02 for goodness sake! PLEASE get a clue before posting. The problems with ActiveX components have in many cases been where components were incorrectly marked, which is the fault of the component developer, not of Internet Explorer, exposing capabilities to scripting that were not secure. THEY ARE NOT SET BY DEFAULT – the developer has to opt in – but many components were opted in that shouldn’t have been. This relates only to objects where parameters have been specified in the <object> tag, or scripts target the objects. If no parameters are supplied and script does not target the object, any object can be loaded, but this should not present a security risk as the attacker is not giving any information for it to operate on (this would generally make the object pretty useless, of course).

    In addition COM offers the IObjectSecurity interface. This allows the object, once initialized, to discover the zone it’s running in to permit it to further lock down its capabilities.

    There have of course been flaws in the *implementation* of the security model. The local server issue *did* exist because you could specify a file: URL for the codebase parameter, which allowed an executable already on the user’s system to be loaded. This is possible because the COM local server model requires the server process to register its classes with COM at runtime, so COM loads the program, then waits for it to register its classes. It doesn’t so the operation times out, but the program still ran. This was fixed over five years ago: bulletin MS02-015. It was rated moderate because the attacker could only run programs already present, and then could not provide command-line arguments, but ‘anonymous’ indicates that there was something which could be run that could start the Telnet service, which could then itself be used to connect to the machine, if you could get its IP address and it wasn’t behind a NAT or firewall and you could then guess a login.

    The various settings for whether an object can be initialized or scripted are configured on a per-zone basis and can be adjusted one-by-one, or altogether using the ‘level’ slider in Internet Options.

    Firefox also has a model for loading binary, native code. It’s called XPCOM. The ONLY difference from COM – as it’s a complete rip-off – is that there is not a system-wide registry of all components which are independently creatable. Instead the registry of what’s available is stored in a file in the Firefox installation folder. Some extensions will be pure JavaScript extensions using only the Firefox script extension model, but some are binaries. Firefox does not actually have as robust an extension security model as IE does, but it is less exploitable due to the smaller number of compatible binary extensions possible. COM has in this instance been a victim of its own success.

  63. Mihai says:

    @Raimond: please don’t get angry with me.

    But this is often your message in this blog (which I like a lot): judge everything in context!

    If something looks like a stupid thing today, think about the situation when that thing was created. And you are right.

    But let’s be consistent: if something is safe today, and does not look like such a bad idea, we should also look back and see if at the time when it was created that was also the case.

    [Another theme of the blog is that harping on mistakes of the past accomplishes nothing. What’s done is done. Fix it as best you can, learn from it, and make the next thing better. Until time machines are invented, that’s the best anyone can do. -Raymond]
  64. Aaron says:

    Phenomenal.  There seems to be an almost limitless supply of people who know nothing about how any Microsoft technology really works, but are damn sure that Microsoft did it all wrong, and know exactly how it "should" be done (namely, by waving their magic wands and making computers both sentient and telepathic).

  65. Stephen Jones says:

    —“but are damn sure that Microsoft did it all wrong, and know exactly how it “should” be done”—–

    When MS proceeds to break or cripple the applications you have written using standard MS procedures, then you are quite right to say that MS got it wrong.

    And as far as “harping on the mistakes of the past” Raymond is ignoring something. Those of us that are harping on about the mistakes of the past are not those who made the mistake in the first place, but those who are suffering from it.

    And MS is not showing that much intention of learning from its mistakes (insofar as one can talk about it as a monolithic organization). We still have no guarantee that a web program we write that runs fine in IE today will do so tomorrow after MS has applied arbitrary security updates. After all the posts I made on Local Machine lockdown here I found that the next day after I disabled it an update or something had changed the registry and IE would not open a single .swf file, whether from the web or from the local HD. After two hours searching on the web I found an obscure registry file that had appeared. I changed it and it worked until the next day, when I had to change it again.

    If lots of moaning here means somebody at MS will pay attention and tell the guys in charge of security updates that it is  big deal when they go around and change a setting without telling anybody then all the moaning will have had some effect.

    You could argue it is a little unfair to argue this on Raymond’s blog, when he, more than anybody has defended backward compatibility, but we are not attacking Raymond personally, merely pointing out the chaos that making a mistake and then rectifying it by breaking things causes.

    [The pendulum in the “compatibility vs. security” battle has swung the other way. Whereas you’re upset that it’s happening, far more people are upset that it took so long. Maybe you can get into a room with everybody else and work it out once and for all. -Raymond]
  66. Mihai says:

    "I think it’s disingenuous to call up as examples things that aren’t true any more."

    It was all in the context of "ActiveX *was* a bad idea." Past tense.

    And not everybody switched to Vista/IE7 yet.

    Before IE7, everybody lived (for many years) with the sword of Damoc^H^H^H^H^HActiveX above their heads :-) And ActiveX *was* a bad idea.

    But there is still a difference, even now: I am asked about the Flash plugin, and I am asked about random ActiveX, ok.

    But I have to decide once for Flash (and I know it is from a safe company), then I can just "run" any .swf file, I know I am safe. But I still have to think and decide for every ActiveX out there, with often with very limited information.

    Same model with Silverlight and Java, both better ideas than ActiveX.

  67. Mihai says:

    "components were incorrectly marked, which is the fault of the component developer"

    We are talking security. The "developer" was out there to get your computer (and create the armies of "slave" computers to be used for spam, warez, DoS).

    So it was not his *fault*, it was intentional. The internet stopped being a nice and friendly place many years before IE3.

    So "PLEASE get a clue"

  68. Mihai says:

    “Fix it as best you can, learn from it, and make the next thing better”

    Agree. But when the answer to “it was a bad idea” is “it is the same as X” (which is not), it does not sound like lesson learned.

    If the answer is “true, it was bad at the time, but it is fixed now” then I agree.

    Also, some of my posts where not “targeted” at you, but where answers to other posts.

    Anyway, I will stop here, enough is enough.

    [You claimed that allowing plug-ins to run natively was a bad idea. I responded that if it’s such a bad idea, why do other browsers allow native plug-ins, too? You then compared current Firefox behavior to old IE3 behavior (instead of current IE7 behavior, which is more comparable). -Raymond]

Comments are closed.

Skip to main content