Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Windows 7: Internet Explorer’s ActiveX Security Mitigations in Use

15 Jul 2009   #1
SGT Oddball

Internet Explorer’s ActiveX Security Mitigations in Use


As a part of the July security bulletin, Microsoft yesterday released an update to mitigate a vulnerability in the “Microsoft Video” ActiveX control. This control contained a stack-based buffer overflow which could be exploited by a malicious web page.

If you haven’t yet done so, please make sure you’ve installed the latest updates from WindowsUpdate to help keep your system secure.

The Microsoft Video control should not have been marked as safe because it wasn’t intended for use within the browser. Rather than updating the control itself, Microsoft decided to block misuse of the control via a killbit. Killbits are simple registry flags that instruct the browser not to load the specified control. One advantage of killbits is that they can easily be set with a simple registry modification, and a “FixIt Script” that set this killbit was available on July 6th. You can learn more about the killbit mechanism over on the SRD Blog (Part 1, Part 2, Part 3).

ActiveX Mitigations by IE Version

The Video ActiveX vulnerability was extremely serious for IE6 users because that browser version provides no protection against this exploit unless the killbit is applied.

In contrast, IE7 users had some protection against exploitation of this vulnerability. IE7 includes the ActiveX Opt-in feature which disables most ActiveX controls (including this one) by default. IE7 users on Vista also benefit from Protected Mode, which helps prevent the installation of malicious software, even in the event that an exploit results in code execution.

Beyond Protected Mode and ActiveX Opt-in, IE8 users benefitted from additional protections that help to mitigate vulnerabilities like this one. IE8 includes the per-site ActiveX feature, which extends ActiveX Opt-in by preventing controls that are permitted to run on one site from running automatically on other sites. More importantly in this case, DEP/NX memory protection is enabled by default for IE8 users on Windows XP SP3, Windows Vista SP1+, and Windows 7. DEP/NX helps to foil attacks by preventing code from running in memory that is marked non-executable. DEP/NX, combined with other technologies like Address Space Layout Randomization (ASLR), make it harder for attackers to successfully exploit certain types of memory-related vulnerabilities, including this one.

Security is a Journey

Unfortunately, attackers are always on the lookout for vulnerable code, and Microsoft is currently investigating a vulnerability recently discovered in the Microsoft Office Web Components (OWC) ActiveX controls. Until an update is available, users can help prevent exploitation of the vulnerability by running the FixIt Script that killbits the vulnerable OWC controls.

No Easy Answers

When talking to customers, I’m often asked: “ActiveX controls often have problems. Why not release a version of Internet Explorer without ActiveX?

It’s a reasonable question, and it goes back to my point that “security is usually easy, it’s the tradeoffs that are hard.” End-users or IT administrators can easily disable ActiveX in all versions of IE in just a few seconds: click Tools > Internet Options > Security > Custom Level… and change the “Run ActiveX controls and plug-ins” setting to “Disable.” Alternatively, IE7 and IE8 users can launch Internet Explorer in No Add-ons mode using the Start Menu shortcut. Unfortunately, many sites depend on the rich capabilities provided by add-on technologies like ActiveX, and those sites will not work as well, or at all, if ActiveX is disabled. Users and administrators can more tactically disable unwanted controls using Manage Add-ons or Group Policy, reducing attack surface as much as possible.

While we continue to evangelize best-practices for developing secure add-ons, we strongly encourage users and organizations to upgrade to IE8. IE8 offers a robust set of mitigations against exploitation of vulnerable controls, helping keep your systems secure.

Thanks for reading!

-Eric Lawrence


My System SpecsSystem Spec

 Internet Explorer’s ActiveX Security Mitigations in Use

Thread Tools

Similar help and support threads
Thread Forum
Internet Explorer "ActiveX Filtering" - Turn On or Off
How to Turn "ActiveX Filtering" On or Off in IE9, IE10, and IE11 ActiveX is a technology that allows web developers to create interactive content on their sites, but it can also pose a security risk. As you browse the Web, you may encounter webpages that don't work properly unless you install...
Internet Explorer begins blocking out-of-date ActiveX controls
Internet Explorer 9 Certificate Security
Hello When i use certain Secure* Web Sites Internet explorer pops ups always Security Certificate Error.How i can disable it? I update to the latest Certificates but prpoblem still exist. Windows 7 64bit i7 3.06 12 gb ATI radeon 6870
Browsers & Mail
Internet Explorer Enhanced Security
Do you know how to turn this off in Windows 7?
Browsers & Mail

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 23:52.
Twitter Facebook Google+