IE8 Security Part II: ActiveX Improvements

  • [アーティクル]

Hi, I’m Matt Crowley, Program Manager for Extensibility with Internet Explorer. The team was very excited to be at the RSA security conference last month discussing the security features of Internet Explorer 8 Beta 1. In this, the second part of the IE8 Security blog series, I describe the ActiveX improvements in IE8 and summarize the existing ActiveX-related security features carried over from earlier browser versions.

Per-User (Non-Admin) ActiveX

Running IE8 in Windows Vista, a standard user may install ActiveX controls in their own user profile without requiring administrative privileges. This improvement makes it easier for an organization to realize the full benefit of User Account Control by enabling standard users to install ActiveX controls used in their day-to-day browsing.

If a user happens to install a malicious ActiveX control, the overall system will be unaffected, as the control was installed only under the user’s account. Since installations can be restricted to a user profile, the risk and cost of compromise (and, in turn, the total cost of administering users on a machine) will be lowered significantly.

Per-User ActiveX was designed with compatibility in mind—most existing ActiveX controls will not have to be rewritten to benefit from this feature; the only change will be repackaging. As in Internet Explorer 7, when a webpage attempts to install a control, an Information Bar is displayed to the user.

IE8 Information Bar prompt when a webpage attempts install of an ActiveX control

By clicking on the information bar, users can choose to either install the control machine-wide, or install it only for their own user account. The options in this menu will vary depending on the packaging of the control and the rights of the user.

The available options depend on Group Policy settings for per-user ActiveX installations and whether or not the control has been packaged to allow per-user installation.

IE8 Information Bar menu to install an ActiveX control

While this feature offers the possibility of lowering total cost of ownership, IT Administrators running managed environments may elect to disable this feature via Group Policy. For more information regarding Per-User ActiveX, please refer to the Non-Admin ActiveX Controls article in MSDN’s IE8 Beta 1 Whitepapers.

ActiveX Opt-In

Recognizing that any binary extensibility mechanism increases attack surface, ActiveX Opt-In was introduced with Internet Explorer 7.

By default, ActiveX Opt-In disables most controls on a user's machine. When the user encounters a Web page with a disabled ActiveX control, they will see an Information bar with the following text: "This website wants to run the following add-on "ABC Control" from "XYZ Publisher". If you trust the website and the add-on and want to allow it to run, click here …" The user can then choose to enable the ActiveX control from this Information bar.

ActiveX Opt-In allows some controls to run by default:

  • A small list of common controls intended for use in the browser.
  • Controls which were used in IE on a user’s machine before upgrading to IE8.
  • Controls which are installed through IE.

For more information on ActiveX Opt-In, please refer to the MSDN Article Best Practices for ActiveX.

Per-Site ActiveX

When a user navigates to a Web site containing an ActiveX control, IE8 performs a number of checks, including a determination of where a control is permitted to run. This check is referred to as Per-Site ActiveX, a defense mechanism to help prevent malicious repurposing of controls. If a control is installed, but is not permitted to run on a specific website, an Information Bar appears asking the user whether or not the control should be permitted to run on the current website.

IE8 Information Bar prompt to authorize run of an installed ActiveX control

Users can use the Information bar to allow the control for a specific Web site or allow the control for all Web sites.

IE8 Information Bar menu to authorize run of an installed ActiveX control

IT Professionals administering a system of computers running Internet Explorer 8 may choose to preset allowed controls and their associated domains. Such settings can be configured using Group Policy.

For more information regarding Per-Site ActiveX, please refer to the Per-Site ActiveX article in MSDN’s IE8 Beta 1 Whitepapers.

Enforcing Per-Site with ATL SiteLock Technology

If your ActiveX control is designed for use only on your web site, then locking it to the domain of that Web site will make it harder for other sites to repurpose the control in a malicious manner. See Developing Safer ActiveX Controls Using the Sitelock Template for more information.

Reducing Exploit Risk with DEP/NX, “Killbits,” and Servicing

Working with your processor and Windows, IE8 helps reduce the exploitation of vulnerable controls through Data Execution Prevention. See the previous post in this series, IE8 Security Part I: DEP/NX Memory Protection, for more information on how to ensure that your ActiveX controls are DEP/NX compatible, as well as information on how to opt-in to other available protections.

If a vulnerable control has been exploited, IE has included a poison-pill option—the “killbit”— to block usage of specific controls within the browser. Vendors who are aware of a vulnerability in their control should contact Microsoft to setup a killbit for a future software update package. For more information, please refer to Knowledge Base article 240797, How to stop an ActiveX control from running in Internet Explorer.

As with standard desktop software, it is important to keep controls up-to-date to ensure compatibility with newer systems and lower the risk of compromise through evolving security threats. For more information on updating ActiveX controls, please refer to the IE Blog entry Good Practices for ActiveX Updates.

Working with Users through Manage Add-Ons

While most end users aren’t aware of the inner-workings of ActiveX controls or their enterprise policy on them (if applicable), users are able to find out information about the controls installed for use in Internet Explorer through Manage Add-Ons. It is important for developers to ensure that their controls are not only performant and secure, but also open in the information they provide.

Controls are identified by Name, Publisher, Version, and Class ID within the Manage Add-Ons interface. Given this, control developers are encouraged to include this metadata in release builds of their controls.

For more information on making sure that your ActiveX control properly conveys information about itself to users, please refer to Christopher Vaughan’s post Add-on Management Improvements in Internet Explorer 8 as well as the MSDN Article Best Practices for ActiveX.

Thanks for your help in ensuring your ActiveX controls are secure!

Matthew David Crowley
Program Manager
Internet Explorer Extensibility

Comments

  • Anonymous
    May 07, 2008
    All these security improvements for XP and Vista users while other Windows versions don't even get the core improvements made in IE6 for XPSP2. It's still possible in IE6SP1 to malware to silently install an ActiveX control. Although the marketshare of these operating systems is negligible, it makes no sense supporting IE6SP1 or IE5 SP4 because anyways they're so insecure, users of these OSes will be forced to use an alternative browser.

  • Anonymous
    May 07, 2008
    ActiveX Improvements is nice can we also have the option to temporary install an activeX add-on then when we close the IE browser it delete or disable the add-on. In standard user account (non-admin in Vista) when user choose to "install this add-on for all user on this user" will they be prompted with a UAC password. The Favorites Bar is nice but can you also add a search favorite or search commands functionality so user can find what ever they want in IE 8 User interface. Something similar to the office 2007 search command add-ins.

  • Anonymous
    May 07, 2008
    Wow, per-user ActiveX - that's pretty huge (and arguably how it should have been done since the beginning).  

  • Anonymous
    May 07, 2008
    I will agree that it could have been done from the beginning, but we should remember the first environment that IE was developed for... the Win9x environment. In any case I'm happy to see something like this, please continue making our life (as sysadmins) a bit easier!!

  • Anonymous
    May 07, 2008
    It's good that IE 8 has this feature. Improving the security measures on the Internet is a very good idea. Internet security nowadays are at risk since hackers are always ready to do their unpleasant doings. There are many preventive measures, all we have to do is follow what is right.

  • Anonymous
    May 07, 2008
    Will this feature be enabled for XP users as well?

Running IE8 in Windows Vista, a standard user may install ActiveX controls in their own user profile without requiring administrative privileges

This makes it seem like it won't but a definate answer would be awsome.

  • Anonymous
    May 07, 2008
    @Mike: The per-user ActiveX feature is for Vista and higher.

  • Anonymous
    May 07, 2008
    Does this work without "Emulate IE7" too?

  • Anonymous
    May 07, 2008
    And what, pray tell, prevents per-user ActiveX to be implemented in XP? Oh, sorry: limited user accounts in XP are unusable anyway; it would have worked with Win 2000 (which has working 'advanced users' accounts), but since Win 2000 is stuck with IE 5 and 6 (at best) anyway... I guess then that users of Win XP will just switch to other browsers that allow user-level extensions and plugin installations, and get rid of ActiveX altogether. If they haven't already done so. ... You do realize that this 'great security improvement' can only be used to demonstrate how ANCIENT IE actually is? I mean, program a Firefox extension today, it already works as a user level extension only, works with all OS version supported by Firefox (from win9x to Vista), and as long as it doesn't make use of assembly language or OS dependent features (relying on Gecko's CSS, HTML and Javascript engine), can run ANYWHERE Gecko has been ported, and in the browser's context? What's left to implement is an independent Javascript engine (but then, Chris Wilson protested the Mozilla's foundation attempt at writing one that could be plugged into IE, so, either you're arrogant, or you're not planning to do that), and you'd get a browser mostly unstuck from the OS, and the ability to improve it again. ... Remember that XP just got a new lease on life, due to Vista being too bloated to run on machines that are all the rage today: UMPCs. So, spending time improving ActiveX just for Vista is of little to no interest, especially when your competitors are going at these new markets aggressively:

  • Firefox 3 got a smaller footprint than version 2, making it eligible to run on very small devices;
  • Opera already is there;
  • KHTML/Webkit are geared to go that way too. What browser do you want to see outside the desktop? If people spend more time with their mobile devices, and notice that they can keep the same browser in and out of their desktop machine, and cumulate it with nice stuff like roaming browser preferences (yes, it exists for at least Firefox, hosted by Google), what's getting more interesting? IE 8, glued to costly, underperforming machines, or Firefox/Webkit/Opera that you can bring with you? If separating first rendering contexts, then ActiveX from the core OS is part of a strategy to unglue IE from Windows, it's really good, congrats! If not, pfeh.

  • Anonymous
    May 07, 2008
    The comment has been removed

  • Anonymous
    May 08, 2008
    The earlier suggestion of temporary activex would be good, there are occasions where I would like to use something which requires activex but am unlikely to need it again.

  • Anonymous
    May 08, 2008
    The comment has been removed

  • Anonymous
    May 08, 2008
    Re: "Running IE8 in Windows Vista, a standard user may install ActiveX controls in their own user profile without requiring administrative privileges" So what you are telling us, is that although IT has locked down what you can do on your PC, you can now in fact evade those security measures and install all the spyware infected "CoolSearch", "MyWay", "BonziBuddy", "360" toolbars you want now. Can't wait to see how the IT Crowd responds to this when the news gets out.

  • Anonymous
    May 08, 2008
    @User Access Control - Huh? What part of "While this feature offers the possibility of lowering total cost of ownership, IT Administrators running managed environments may elect to disable this feature via Group Policy." do you not understand?

  • Anonymous
    May 08, 2008
    I'd really like a solution where I don't have to train every user to decide whether to trust an add-on.

  • Anonymous
    May 08, 2008
    @@killbits question: The problem is that a bad guy could save a copy of the buggy/signed AX control on his server and offer to install it from his page.  Without a killbit, the buggy old version can be installed & run. Anyone claiming that Firefox's model is somehow magically better than ActiveX doesn't really understand Firefox's NPAPI plugin model.

  • Anonymous
    May 08, 2008
    Thanks for the reply. I had not thought of that. How easy/hard is it for someone to do that, and how easy/hard is it to install an older version of an add-on over the newer one? I've never actually let an active-x thing download/run on my machine and take the view of, if your site needs it, I don't need your site; because of this I have not had enough exposure to know the difficulty of setting up the exploit you mention above. I'll fully admit it's a good reason for killbits I didn't think of, but knowing the difficulty level of the exploit and therefore how many people could actually use it is important for determining how big the problem being fixed is.

  • Anonymous
    May 08, 2008
    IE Team describes the ActiveX improvements in IE8 and summarize the existing ActiveX-related security

  • Anonymous
    May 08, 2008
    "Running IE8 in Windows Vista, a standard user may install ActiveX controls in their own user profile without requiring administrative privileges" An ActiveX improvement means going back the old xp way user will fall victim on malicios activeX. I feel it's a Bad choice to allow a standard user to install activeX control without requiring administrative privileges. Sure the overall system will be unaffected if standard user install a malicious ActiveX control but you're putting inexperienced user (kids, mothers...Etc) at risk and to be an easy target for dangerous active X. Right now I don’t like that admin(possibly home user)have to go through Group Policy to disable this feature I think If you are going to allow standard user to install active X then I think you should add a UI option for user(admin) to easily turn on the default setting which require administrative privilege on every activeX. You have to choose between usability and security but you went with usability user experience.

  • Anonymous
    May 08, 2008
    Basically what I'm saying earlier is that I'm concern about the user. Do you really want the user to look at the information bar and hope that he/she make the right decision in installing activeX.

  • Anonymous
    May 08, 2008
    @bond -- it's no different than the browser allowing you to download arbirary EXEs and the OS allowing you to run them.  Those arbitrary EXEs can install ActiveX controls within your user profile (this goes as far back as Windows 2000 with per-user COM registration under HKEY_CURRENT_USER). What IE8 is doing is taking the "in-browser" installation mechanism, and allowing that to be per-user as well.

  • Anonymous
    May 08, 2008
    As well as the 'install...' options, how about an 'Ignore this request from this site' option.

  • Anonymous
    May 09, 2008
    Can Silverlight be added as part of the operating system say a part of Windows XP, as it is allready part of Vista, as it is annoying! Could you with activeX make it more open source!

  • Anonymous
    May 09, 2008
    I like how you're using Google as your search engine on those screenshots. Replacing MSN search with Google would be a really good improvement in IE8. ;)

  • Anonymous
    May 09, 2008
    Per session installation would be a great option. And ignore the idiots that don't even know the difference between a firefox plugin, and a firefox extension. Sheesh. Though when you get silverlight merged with IE (for IE9), then 'extensions' could be written in that, I suppose.

  • Anonymous
    May 10, 2008
    That post is very good, thank you it is very interesting ;)

  • Anonymous
    May 10, 2008
    The comment has been removed

  • Anonymous
    May 11, 2008
    @Match74: Before displaying your lack of understanding in a public forum, you should do some basic research. You can already run IE in a limited user account just fine. Your assertion that ActiveX runs with "SYSTEM" permissions is incorrect.  ActiveX runs with the permissions of the current user. Further, your claim that IE runs with a "seven year old" version of Javascript is also incorrect; beyond the improvements made in the version of Javascript shipped with IE7, myriad improvements have been made thus far in IE8.  If you check out the benchmarks, you'll find that it's far faster than the older version it replaced.  The JScript engine isn't "tied to the system"-- it's a standards IActiveScript engine that runs in the IE IActiveScript host.

  • Anonymous
    May 11, 2008
    These are good improvements to IE, I am very much looking forward to IE8 and beyond.

  • Anonymous
    May 11, 2008
    It is a shame that this isn't going to be supported on XP. --Philip

  • Anonymous
    May 12, 2008
    It is a shame that this isn't going to be supported on Windows 95.

  • Anonymous
    May 12, 2008
    these are ver y good improvements introduced by ie 8 team

  • Anonymous
    May 12, 2008
    Just hated it when one website causes IE 7 to freeze or slow down and it effect every other website in IE 7. Can you isolate the website so that all other website”IE tabs” are not affected?

  • Anonymous
    May 13, 2008
    I should be watching this Code Thank you very much

  • Anonymous
    May 14, 2008
    The comment has been removed

  • Anonymous
    May 14, 2008
    Mitch74: I think you misunderstand how IE, Javascript, and ActiveX run.   On all current Windows platforms, IE & Javascript run with the user's permissions (or lower) and not "System" as you suggest.   It's ~possible~ to develop an ActiveX control that calls into a collaborating service running with higher level of permission, but such an architecture is very rare; the vast majority of ActiveX controls run only with user permissions. The advantage of IE7 on Vista (over competitive browsers) is that IE, Javascript, and ActiveX all run at "Low" Integrity, which means they run with even fewer permissions than the user has in their "Limited" account.  Thus, even if IE is compromised, the user's documents and applications cannot be modified/deleted/etc.

  • Anonymous
    May 15, 2008
    The comment has been removed

  • Anonymous
    May 16, 2008
    The comment has been removed

  • Anonymous
    May 16, 2008
    The comment has been removed

  • Anonymous
    May 17, 2008
    most ActiveX controls are global in nature; once installed, any web page can make use of them. This increases security exposure.

  • Anonymous
    May 17, 2008
    Another useful ActiveX control lets the Web distribute Microsoft PowerPoint Animation files directly to Internet Explorer, complete with transitions and other presentation attributes, but without the need for PowerPoint itself. Currently, the ActiveX control needs to be manually downloaded and installed from Microsoft at http://www.microsoft.com/mspowerpoint/internet/player/default.htm, but once you do, you can interactively work with PowerPoint files directly with your Web browser. thanks

  • Anonymous
    May 18, 2008
    Romanet, that is a pretty cool feature. Thanks for sharing!

  • Anonymous
    May 19, 2008
    The comment has been removed

  • Anonymous
    May 19, 2008
    hhb tfv  u i8y9 i8gifgu uuyfcuynyt

  • Anonymous
    May 19, 2008
    hhb tfv  u i8y9 i8gifgu uuyfcuynyt4ry      67m

  • Anonymous
    May 27, 2008
    I was reading up about IE8 Beta 2 yesterday, and I came across an interesting post about how ActiveX

  • Anonymous
    June 11, 2008
    Yesterday at Tech Ed IT Pro 2008 in Orlando we announced some of the enhancements we’re making in Internet

  • Anonymous
    June 17, 2008
    At 3:00am AEST on Wednesday 18th of June will herald the release of Firefox 3. It's a big jump ahead from the heady days of Firefox 1 and Firefox 2 days. This version includes over 15,000 enhancements from the 2.x series. It's faster, funkier an

  • Anonymous
    July 02, 2008
    As someone whose email address is posted in thousands of forum posts, newsgroup discussions, and blogs,

  • Anonymous
    July 02, 2008
    Internet Explorer 8 - Security

  • Anonymous
    July 09, 2008
    번역은 나같은 초보가 함부로 손대는게 아니구나. 쉽지 않아 쉽지 않아.. 어쨌든 IE 8 보안 파트 2번역 다 했고, 곧 엔쵸비 블로그에 올라갈 예정..

  • Anonymous
    July 21, 2008
    인터넷 익스플로러8에서 액티브X 없어진다고 낚는 기사 뭐임. 오히려 더 개선되는구만.

  • Anonymous
    July 27, 2008
    IE8의 ActiveX 관련 보안 문서. 그리고 Add-on 관리 기능. 참고로 IE7의 ActiveX 보안

  • Anonymous
    August 12, 2008
    Si sta avvicinando a grandi passi il rilascio della Beta 2 della versione 8 di Internet Explorer . Come

  • Anonymous
    August 27, 2008
    Windows Internet Explorer 8 Home page (홈페이지) Internet Explorer 8: Worldwide sites (다운로드) Internet Explorer

  • Anonymous
    August 28, 2008
    The next beta for Internet Explorer has been released for broad distribution to the public, according

  • Anonymous
    August 29, 2008
    Back in June, Dean Hachamovitch kicked off a series of blog posts explaining how the IE team approached

  • Anonymous
    October 07, 2008
    A: One of the new features for Internet Explorer 8 (Windows Vista only) is ability to install ActiveX

  • Anonymous
    February 09, 2009
    Hello, I'm Alex Glover and I'm the test owner of the SmartScreen Filter in Internet Explorer 8. The SmartScreen

  • Anonymous
    February 17, 2009
    Изменения в фильтре SmartScreen в IE8 RC1 Привет, меня зовут Алекс Гловер (Alex Glover) и я являюсь главным

  • Anonymous
    March 16, 2009
        아래 글은 IEBlog에 올라온 IE 8 보안 관련 글 중 두번째 글을 번역한 것입니다. 현재 파트 5까지 나와있는데 시리즈로 번역할 예정입니다. 이 글 뿐

  • Anonymous
    March 19, 2009
        올랜도에서 개최된 Tech Ed IT Pro 2008 (영어) 에서 Internet Explorer 8 을 조직내에서 배포, 관리하기 위해, 몇가지 기능을

  • Anonymous
    March 25, 2009
    Over the last year, we’ve published two posts about how the IE8 SmartScreen ® filter helps to prevent

  • Anonymous
    March 30, 2009
    В прошлом году мы опубликовали пару статей о том, как фильтр IE8 SmartScreen помогает предотвращать фишинговые

  • Anonymous
    April 21, 2009
    I attended Scott Charney’s keynote this morning at RSA – Moving Towards End to End Trust: A Collaborative