Solved

what is "safe ActiveX" control?

Posted on 2000-05-15
12
280 Views
Last Modified: 2013-11-18
I have written an ATL control to be embedded in the web page. The control will perform some file operation on the client's machine. Since IE's default security setting will not run a control that is not signed, I obtained a digital signiture from VeriSign and signed my control. Now when the user goes to the webpage, a message box will come up saying that the control is signed by my company and asks the user whether he wants to run the control. This is great. But when the user clicks "Yes" to run the control, another message box comes up and saying the current browser security setting does not allow a control that is unsafe to run. What does it mean? I thought by signing the control and user acceptance, any control should be able to run under the default security settings? Did I miss anything?
0
Comment
Question by:onlygo
  • 4
  • 3
  • 2
  • +3
12 Comments
 
LVL 15

Expert Comment

by:lyonst
Comment Utility
Hi Onlygo,

You could try the following to see if the problem goes away -

Internet Explorer 4
Click Start, point to Settings, click Control Panel, double-click Internet, click the Security tab, click Medium (More Secure), and then click OK.

Internet Explorer 5
Click Start, point to Settings, click Control Panel, double-click Internet, click the Security tab, move the slider to Medium (More Secure), and then click OK.

Hope this helps,

T.
0
 
LVL 15

Expert Comment

by:lyonst
Comment Utility
Hi,

If the issue continues to occur, try following these steps:


On the Tools menu in Internet Explorer, click Internet Options.


On the Security tab, click Internet, and then click Custom Level.


Under Run ActiveX Controls And Plug-ins, click Enable or Prompt.


Under Script ActiveX controls marked safe for scripting, click Enable or Prompt.


Under Java Permissions, click High Safety.


Click OK, and then click Yes.


Click OK.


T.
0
 
LVL 15

Expert Comment

by:lyonst
Comment Utility
Hi,

Final Possible Solution -

To resolve this issue, configure the ActiveX controls and plug-ins security settings in Internet Explorer to Enable:

Right-click the Internet Explorer icon on the desktop, and then click Properties.


On the Security tab, click Custom Level.


Under ActiveX controls and plug-ins, click Enable under the following security settings:


Initialize and script ActiveX controls not marked as safe


Run ActiveX controls and plug-ins


Click OK.


Click Yes when you are prompted to change the security settings for the zone.


T.
0
 
LVL 22

Expert Comment

by:CJ_S
Comment Utility
Running Applications Securely
End users are protected from malicious applications because Internet Explorer ensures that only safe applications run on end-user systems. ActiveX controls that are hosted on Web sites trusted by the user can be downloaded and run on the end-user's system using all the features of the operating system. Users accept such trusted ActiveX controls just as they trust shrink-wrapped applications today for the desktop. Because ActiveX will not run the trusted control if it is modified after leaving the trusted Web site, the user is protected against malicious modification of applications during download.

On the other hand, ActiveX controls and Java applets on Web sites that are not trusted by an end user are not permitted to use all the features of the operating system. Because these untrusted ActiveX controls and Java applets are downloaded from a Web site and are limited to using a safe set of operating system features on the end-user system, they cannot compromise the security of the end-user system. Internet Explorer ensures that Java applets and untrusted ActiveX controls do not use the underlying operating system.

Internet Explorer supports trusted ActiveX controls that are written in languages such as Java, Visual C++, and Visual Basic. ActiveX supports those untrusted ActiveX controls written in the Java programming language.
0
 

Author Comment

by:onlygo
Comment Utility
Thanks people, for your comments. However, two quick points:

1. I know how to change the security settings to let my control run. But I just can't do that because it brings lots of inconvenience to the users (lots of users may not even know how to do all those setting changes)

2. I also understand the basic security issues like Applets/ActiveX security constraints. My question is : why the *digital signed* control still can't run? If the signed control is still bound by the security restrictions, what's the point of signing?
0
 
LVL 7

Expert Comment

by:KangaRoo
Comment Utility
Maybe this is completely of topic, but, franky, I wouldn't let a webpage mess around a bit on my system (so all ActiveX and jave is by default disabled). There is very good reason to disable active content.

Why do you need this? It is very uncontrollable, IE settings may differ, onlly available on Windows and how about other browsers?
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 15

Expert Comment

by:Tommy Hui
Comment Utility
You need to also write code to make it work in IE4 and higher. Look in the MSDN documentation for the IObjectSafety interface. There's code to show you how to implement it as well.
0
 

Author Comment

by:onlygo
Comment Utility
Well, what I want to write is actually something like InstallShield's InstallFromTheWeb. I want to write and embed the control in a webpage, the control will communicate with my server and retrieve the setup files from the servers and store them in the local harddisk, once the retrieve is done, the control will launch the setup program. I want to do this to minimize the user's operations.
0
 

Author Comment

by:onlygo
Comment Utility
Also, I am not worrying about other browsers. I only need to make it work under IE5 (because my program works only with IE5:)
0
 
LVL 1

Accepted Solution

by:
sharonk earned 600 total points
Comment Utility
You should register your activex as safe for scripting, to do this you must registeter your activex with the "Safe for scripting category", with has the "{7DD95801-9882-11CF-9FA9-00AA006C42C4}" CLSID. For reference see Technical Article
"Signing and Marking ActiveX Controls" by Paul Johns, which you can find in the MSDN.

0
 
LVL 7

Expert Comment

by:KangaRoo
Comment Utility
Tell me, can anyone mark his activeX components as safe??
0
 

Author Comment

by:onlygo
Comment Utility
Thank you sharonk! That's exactly the answer I have been looking for.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

When writing generic code, using template meta-programming techniques, it is sometimes useful to know if a type is convertible to another type. A good example of when this might be is if you are writing diagnostic instrumentation for code to generat…
Many modern programming languages support the concept of a property -- a class member that combines characteristics of both a data member and a method.  These are sometimes called "smart fields" because you can add logic that is applied automaticall…
The goal of the video will be to teach the user the concept of local variables and scope. An example of a locally defined variable will be given as well as an explanation of what scope is in C++. The local variable and concept of scope will be relat…
The viewer will learn how to use the return statement in functions in C++. The video will also teach the user how to pass data to a function and have the function return data back for further processing.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now