This week's Patch Tuesday update was nearly as difficult to digest as a Michael Phelp's breakfast. It contained 11 bulletins covering 26 underlying vulnerabilities, the most in two years. With all this high-calorie content to chew through two important points about the update have gone largely overlooked. Firstly, a promised …
Not broad enough!
How about kill-bit that disables ActiveX?
How about a kill-bit that disables Vista?
I have no idea what later & greater versions of Windows offer, but Win98 + IE 6 has a setting to disable ActiveX.
Regrettably, I can't tell you just where it's located: IE, control panel, or what. All I can remember is that to fully cut the balls off IE you have to turn off a whole bunch of things of which some are in one place, some in another.
My flabber remains ghasted that MS still insists on ActiveX at all. The technology was fingered as a major security problem when it was still a babe in arms; here we are, a good 10 years later and ActiveX continues to plague us with wet and poopy diapers. So to speak.
already done - the first version was in xp - the WGA scheme... occasionally they set it off on a global scale just to remind everyone...
killbit is bass-ackwards
If they absolutely have to use ActiveX in the browser, the browser should come with a set of "allow bits" -- a list of the specific ActiveX controls that _are_ allowed. That would be crammed in the Registry just like the current "kill bits", and could be modified by MS updates or 3rd party apps that actually _intend_ to add ActiveX controls to the browser's repertoire.
Allowing the browser to invoke random routines from random installed code just because some hacker with a web page knows its CLSID is insane.
I got a MP update - perhaps the writer should run Windows Update today to get the latest patches ?
Bill - saviour of the universe and he's only got til Tuesday to save the world (sung to Queen's 'Flash')
I don't trust it at all, if a site requires ActiveX I look for the resource elsewhere. As for windoze media player, well at just over 2Mb, media player classic serves me well, and it doesn't open IE when playing wmf files or attempt to connect to ms servers when it is used. ;-)
Vista and IE7 does have "allow bits".
"ActiveX Opt-In automatically disables entire classes of controls—all controls the user has not previously enabled—which greatly reduces the attack surface. This new feature works directly to mitigate the potential misuse of pre-installed controls. Users will now be prompted by the Information Bar before a previously installed, but as yet unused ActiveX control can be accessed. This notification mechanism will provide users the ability to permit or deny access when viewing unfamiliar websites. For malicious websites that attempt automated attacks, ActiveX Opt-In helps protect users by preventing unwanted access and gives the user control. In the event the user does opt to permit loading an ActiveX control, the appropriate control is easily enabled by clicking in the Information Bar."
A step in the right direction I have to agree, but most users will just click the info bar, after all they are just after the content. Do they understand what they do? Have you ever worked help desk? It hurts. Are not all websites unfamiliar the first time round?
Most reg visitors are IT literate, so you preach to the converted here, although not necessarily the wise :-) The average computer user is in an entirely different class altogether... Forgive them <insert deity of choice> for they know not what they do.