O'Reilly logo

Malicious Mobile Code by Roger A. Grimes

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

ActiveX Security

Java’s default security model runs untrusted code in a security sandbox. ActiveX’s default model (see Figure 11-3 later in this chapter) doesn’t run untrusted code, period! The defining question is how ActiveX determines what is untrusted code. In many cases, it doesn’t, you do. When you download an ActiveX control, Internet Explorer checks for the existence of a digital signature to verify its authorship. Depending on the browser’s security setting, you may then be asked (see Figure 11-1) to accept or deny the control’s downloading and execution.

Internet Explorer ActiveX warning

Figure 11-1. Internet Explorer ActiveX warning

As you are prompted to accept a new, signed control for the first time, the browser will also allow you to accept every control signed by the same author, if you check the Always trust content from box. If you do, future controls from the same author or vendor, now considered trusted publishers , will not result in additional notifications. They will download and execute without warning. This is a lot of trust to give a vendor, so give it with due consideration. Microsoft writes trusted publishers to the following registry keys:

  • HKU\Software\Microsoft\Windows\CurrentVersion\WinTrust\TrustedPublishers\SoftwarePublishing\TrustDatabase\0

  • HKCU\Software\Microsoft\Windows\CurrentVersion\WinTrust\TrustedPublishers\SoftwarePublishing\TrustDatabase\0

A few sneaky controls have ignored ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required