If your code uses binary behaviors in the Restricted Sites zone, then you will need to change your code by implementing a custom security manager for your application. For more information, see the "Creating a Customized URL Security Manager" section in "Introduction to URL Security Zones" on the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkId=21863.
In Windows XP Service Pack 2, the ActiveX security model is applied in all cases where URL binding is used to instantiate and initialize an object. The ActiveX secur 929k1017j ity model allows controls to be marked as "safe for scripting" and "safe for initialization" and provides users with the ability to block or allow ActiveX controls by security zone, based on those settings. This allows greater flexibility and control of active content in Internet Explorer.
Web developers and network administrators need to be aware of these new restrictions to plan changes or workarounds for any possible impact to their Web site.
Application developers should review this feature to plan to adopt changes in their applications.
Users could be impacted by sites that are not compatible with these stricter rules.
None. Existing security functionality is being extended.
ActiveX Security Model applied to URL object initializations
Detailed description
The most effective way to remove ActiveX safety vulnerabilities is to apply security policies consistently at the source of the URL binding: URLMON. Declaring an ActiveX control in an HTML page using the <object> tag and CODEBASE attribute is one commonly known example of using BindToObject. The same functionality is used by any component that wants to resolve an URL and get back a stream or object. The ActiveX secur 929k1017j ity model is now applied to all object initializations with a URL as a source.
Why is this change important? What threats does it help mitigate?
In the case of ActiveX controls, the ActiveX security model allows controls to be marked as "safe for scripting" or "safe for initialization" and provides users with the ability to block or allow ActiveX controls by zone, based on those settings. In earlier versions of Windows, this security framework was not applied in all cases where URL binding took place. Instead, the calling code was responsible for assuring the integrity and security of the control, which could often result in security vulnerabilities. There are now a number of public exploit variations that expose this exact issue by going through Internet Explorer to compromise vulnerabilities in the calling code.
What works differently? Are there any dependencies?
The ActiveX security model is applied to all object initializations with an URL as a source, and the "Safe for initialization" tag is applied to all objects. This mitigation only applies to cases where Internet Explorer resolves an URL and assigns it to an object.
How do I resolve these issues?
Application compatibility problems should be minimal. Applications
can opt-out if they have their own security manager. For more information on
opting out of this security model, see "Security Considerations: URL Security
Zones
None.
You might. For more information, see "How do I resolve these issues?" in this section.
The Internet Explorer information bar in Windows XP Service Pack 2 replaces many of the common dialog boxes that prompt users for information and provides a prominent area for displaying information that users may want to view or act upon. Examples of dialog boxes that have been replaced by Information Bar notifications include blocked ActiveX installs, pop-ups, downloads and active content. The information bar will provide information similar to the notification area in Outlook 2003, which informs users of blocked content.
This feature applies to the following audiences:
Users who need to understand how the new behavior will affect their Web browsing experience.
System Administrators, who need to know how to turn this functionality on or off for the client computers in their organization.
Designers of Web sites that rely on add-ons, which will provide a different user experience.
Developers of Web-based applications who need to understand how their experience changes. For example, this affects the development of ActiveX controls. ActiveX controls which are updates to controls that are currently installed on other computers will only be treated as updates if the GUID of the new control matches the current GUID.
Developers of applications hosting the Web browser control will need to know how to use the new application programming interface (API) to take advantage of this new functionality.
|