Posted by Andy Dingley on 01/20/06 23:52

On Fri, 20 Jan 2006 18:04:05 GMT, Joe Barta <jbarta@apk.net> wrote:

>When
>you hear the word "trusted" in the context of hta, does that mean that
>the default is for ActiveX controls in a hta to install and run
>automatically? Without the user's approval?

That's broadly the problem.

You (the user) have some control over how your IE handles security. You
can control whether componets run, and whether new components can be
installed. The choices also depend on the source of the page and the
context. In general though, "web HTML" is treated cautiously by default
but "HTA" is treated promiscuously. The way in which an average IE
treats HTAs is so insecure as to make HTAs a clear and present security
threat in any organisation, such that they need to be hunted down and
destroyed on sight.

M$oft have demonstrably no competent clue over security. In 15+ years of
commercial Windows experience I have never yet seen them act cluefully,
and I have regularly seen them behave in a careless and incompetent
manenr that affects the security of my machines (to the point where I no
longer need to rely on M$oft products for this). They regularly treat
the whole of "computing" as a 1950's US corporate structure, modelling
M$oft's own internal sclerosis. This is a particularly security hazard
when you are either not such a corporate, or when you're part of a
corporate big enough to have at least one fool in it. I've only once
"lost money" to a virus and that was owing to M$oft's simplistic
"Everyone who works for us is trustworthy" model. We were a big site and
there was _one_ old and insecure machine. But it was one of "our"
machines, and so many important and secured (sic) machines trusted it in
turn.

As to "trust", then the problems of signed ActiveXs are well described.
In particular, it is impractical to sign any non-trivial ActiveX as
"safe". Safety depends on context, the _combination_ of the control and
how it is used. A trustworthy developer may easily make a control that
is well-intentioned and signed as such, yet may be twisted to evil
purposes by the page that uses it - and yet it's _still_ signed as
"safe". Suppose your button maker writes a CSS file locally - what if
the page can suggest an alternative filename that's something important
from /windows/system/ and your button maker innocently overwrites it ?

Back in 1997 M$oft released IE4. The initial installer of the first
version included a (trusted) ActiveX that could configure the install to
finish installing after a reboot, by using the registry RunOnce key.
This was trusted and signed by M$oft, so who wouldn't just let it run ?

If you used this from another page, it was a trivial hack to make the PC
format the c:\ drive when you next rebooted - all with a trustworth and
signed ActiveX from the original manufacturer, doing just the task it
was intended for - with only a single parameter changed.

--
Roses are red, violets are blue,
your computer won't boot,
with Service Pack 2

[Back to original message]