ActiveX opt-ins
One of the most powerful tools that malware authors have had at their disposal is an ActiveX control. At one time, malware authors commonly developed malicious ActiveX controls and tried to trick their victims into installing them. Today, security features built into IE and into third-party antimalware software greatly reduced the practice of installing malicious ActiveX controls.
A lot of people don't realize that there are a number of ActiveX controls built into IE6. Although these built-in controls are not malicious in and of themselves, they are frequently used as components in malware attacks.
In Internet Explorer 7, Microsoft disabled almost all of the built in ActiveX controls by default. If a Web site needs to use a control, Microsoft notifies the user through the information bar and has the option of enabling the control.
ActiveX controls can also be manually enabled or disabled through the Add-on Manager, which is accessible through Internet Explorer's Tools menu. As you can see in Figure C, the Add-on Manager allows you to manually enable or disable ActiveX controls individually.
Figure C: Add-on Manager allows you to enable or disable ActiveX controls individually.
The Information Bar
The Information Bar in IE6 notifies the user when Internet Explorer has
Requires Membership to View
To gain access to this and all member only content, please provide the following information:
By submitting your registration information to SearchSecurityChannel.com you agree to receive email communications from the TechTarget network of sites, and/or third party content providers that have relationships with TechTarget, based on your topic interests and activity, including updates on new content, event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile, unsubscribing via email or by contacting us here
- Your use of SearchSecurityChannel.com is governed by our Terms of Use
- We designed our Privacy Policy to provide you with important disclosures about how we collect and use your registration and other information. We encourage you to read the Privacy Policy, and to use it to help make informed decisions.
- If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States.
taken action against a possible security exploit. One change made to the information bar in IE7 is that it is now color-coded. For example, if IE7 is absolutely confident in a site's identity because the site is using a high-assurance certificate, then the information bar is presented in green. On the other hand, if a site is a known phishing site, then the information bar is presented in red.
Another minor, but security-oriented change to the IE user interface is that all browser windows now contain an address bar. This helps prevent malicious pop-up windows from appearing to be part of a legitimate Web site.
These forms of protection are built in to IE7 and are non-configurable.
Cross-domain protection
One last non-configurable, behind the scenes security feature that I want to talk about is cross-domain barriers. In order to prevent malicious code from taking advantage of holes in poorly coded legitimate Web sites, IE7 and its cross-domain protection feature prevents scripts on a Web site from interacting with sites located at other domains.
Configuring IE7 security on Windows Vista
Introduction
General security configuration
The Phishing filter
International domain names, URL handling
ActiveX, Information bar, cross-domain protection
Security features on the Windows Vista version of IE7
About the author
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Brien has served as the CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies.
This tip originally appeared on SearchWindowsSecurity.com.
This was first published in February 2007