Removing and Preventing Malicious Active Controls

This section discusses several things you can do to remove and minimize the risk from malicious ActiveX controls. These items listed were covered in Chapter 10, and aren’t covered in detail here:

  • Total security: Disable ActiveX, scripting of ActiveX objects, or Internet access

  • Use an antivirus scanner

  • Use latest browser version

  • Apply the latest security patches

  • Avoid malicious sites

  • Be aware of social engineered malicious code.

The following sections cover further items in more detail.

Run Only Trusted Code

Running only the code you trust is a significant step in reducing your exposure to malicious mobile code. In the theoretical world of ActiveX, this means only running digitally signed code. With the Internet zone’s default security set, this is automatic. At a low setting, you will be prompted if you want to run unsigned code. With any other setting, unsigned code is discarded without any user notification.

Unfortunately, trusted and signed code fails the digital certification process all the time. Sometimes it can be something as little as web site name change (which is stored in the certificate), or an expired certificate. Most controls aren’t signed at all (see Figure 11-12). They come from legitimate vendors and are safe to use, but for whatever reason, the software programmers didn’t go through with the extra effort and money necessary to digitally sign the code. Thus, it is up to the user whether to accept the unauthenticated ...

Get Malicious Mobile Code now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.