From RISKS DIGEST, retrieved on Mar 30, 1998

Processing query : Explorer,MSIE,MS IE,ActiveX

Volume 6 Issue 34

• cannot access drive "C". Norton Adv, PC-Tools 4.11, Explorer and Ultra-

Volume 11 Issue 22

• classes of computer-dependent people (Networker, Worker, Explorer), according

Volume 16 Issue 91

• Thro, "Artificial Life Explorer's Kit", 1993, 0-672-30301-9, U$24.95/C$31.95 -

Volume 17 Issue 62

• Internet Explorer unwisely execute downloaded binaries without even a virus

Volume 18 Issue 06

• files are visible in Explorer, with bad characters shown as underscores.

Volume 18 Issue 32

• Explorer 3.0beta3 and one in Netscape Navigator 3.0beta5. Both bugs were
• [The "current release" of the Microsoft Internet Explorer is the one

Volume 18 Issue 36

• Internet Explorer Security Problem
• Internet Explorer Security Problem
• Microsoft's Internet Explorer browser running under Windows 95. An attacker
• could exploit the flaw to run any DOS command on the machine of an Explorer
• page that deletes a file on the machine of any Explorer user who visits the
• Normally, before Explorer downloads a dangerous file like a Word document,

Volume 18 Issue 37

• Re: Internet Explorer security problem
• Re: Internet Explorer security problem (Felten, RISKS-18.36)

Volume 18 Issue 38

• Why Java, Bash, Explorer, and other bugs keep hurting us
• Thomas Reardon of Microsoft points out that Internet Explorer 3.0 now
• ActiveX modules because they are considered safe there, but now (sorry NOT)
• allowed to download ActiveX bits from the Internet, how is he able to tell
• Why Java, Bash, Explorer, and other bugs keep hurting us
• Explorer error lets you overwrite system and other files:

Volume 18 Issue 50

• The first forum was on the topic of ActiveX and Java. The second forum is

Volume 18 Issue 61

• Making good ActiveX controls do bad things
• Making good ActiveX controls do bad things
• There has been a great deal of talk about how ActiveX controls can be
• recognized is that even standard ActiveX controls can be made to do
• URL file:///aux Internet Explorer will go into an infinite loop under
• Windows 95. Attempting to shutdown Internet Explorer by doing an "End
• VBScript and ActiveX combo disk crasher
• Even more worrisome are ActiveX controls that contain methods (i.e.,
• viewing an HTML page that contains the ActiveX control and the
• available ActiveX controls that have methods that will save files to
• Internet Explorer 3.
• ActiveX security problems.

Volume 18 Issue 62

• Risks of ActiveX
• Risks of ActiveX
• ActiveX, the problems are likely to grow in the coming months and years.
• That's because ActiveX is key to Microsoft's long-term strategy of
• I have had numerous conversations with Microsoft employees about ActiveX
• folks, the dangers in ActiveX controls are no different than the dangers
• course, is that truly malicious ActiveX components won't tell you that they
• two-pronged attack. For example, one ActiveX control could change Internet
• Explorer's ActiveX security level so that you would run unsigned applets;
• go into the ActiveX security problem in some detail. If you wish to read

Volume 18 Issue 64

• version of the Java Support for Internet Explorer that fully supports
• This tag causes the user's Internet Explorer to check the version of its
• Internet Explorer downloads the latest version of Java support from

Volume 18 Issue 68

• You can't rewrite history in Internet Explorer 3
• You can't rewrite history in Internet Explorer 3
• Microsoft Internet Explorer 3 for Windows 95 maintains two special
• Clearing the History folder removes the entries visible in the Explorer
• first resetting attributes) from within File Manager or Explorer.
• What Every Netscape and Internet Explorer User Needs to Know

Volume 18 Issue 69

• Warning! Security risks with ActiveX!
• Warning! Security risks with ActiveX!
• FIX ACTIVE-X SECURITY PROBLEMS. Objects built with ActiveX can access system
• ActiveX code comes from the developer that users think it comes from. But
• ActiveX does now.

Volume 18 Issue 80

• ActiveX application, which automatically starts and checks to see if
• forbid browsers from executing any ActiveX component without express
• authorization, but that rather circumvents part of what ActiveX is intended

Volume 18 Issue 81

• [Summary: an ActiveX control can add a pending online transfer to
• accept an ActiveX control, you're allowing completely arbitrary code to
• hackery required to do it with Java. ActiveX hands away the keys to your
• That said, ActiveX still has its uses. On a corporate internal network,
• ActiveX is a nice replacement for custom internal applications, where the
• internal app would have been completely trusted, anyway. ActiveX across the
• The solution? Blocking ActiveX (or Java) at the firewall seems fragile, at
• policy [e.g., only allow ActiveX signed by your IS department] inside every
• ActiveX program, currently undergoing final usability tests and stringent

Volume 18 Issue 82

• Hostile ActiveX Control demonstrated
• More on the risks of ActiveX
• Hostile ActiveX Control demonstrated
• Chaos Computer Club) demonstrated how inherent risks of Microsoft`s ActiveX
• Internet Explorer, an ActiveX control would be downloaded into the victims
• According to some Microsoft expert, "all users should know" that ActiveX may
• suggested to disable ActiveX if the system is used for purposes of
• malign effects of ActiveX, Microsoft suggests using its ActiveX
• More on the risks of ActiveX
• Perhaps all of the controls that come with MSIE are perfectly safe, and
• by enabling ActiveX within a browser, many companies are avoiding the
• automatically remove the components that drive ActiveX (i.e. VBscript, the
• Object tag, etc). Not allowing ActiveX to be enabled in a web browser would
• seem to be a minimum requirement, not allowing browsers that support ActiveX

Volume 18 Issue 83

• ActiveX basic problem
• MS on the CCC ActiveX virus
• Microsoft "defends" ActiveX
• to mobile code systems like Java, ActiveX, and JavaScript. To join, send
• ActiveX basic problem
• As it has been pointed out in *Dr. Dobbs' Journal*, an ActiveX control is no
• This alone should ring the death knell on use of ActiveX for anything other
• MS on the CCC ActiveX virus (fwd)
• Here is Microsoft's official line on the security of ActiveX.
• Subject: MS on the CCC ActiveX virus
• sending it out to the Internet Explorer community. In it, Brad Silverberg
• I want to personally assure you that Microsoft(R) Internet Explorer 3.0 has
• its default security level (High) that comes pre-set, Internet Explorer 3.0
• Internet Explorer 3.0, though they could just as easily have demonstrated a
• application macros, Java(tm) applets, ActiveX(tm) controls, Navigator
• Internet Explorer 3.0, Microsoft has initiated efforts to protect users
• against these threats. Microsoft Authenticode(tm) in Internet Explorer 3.0
• your computer, Microsoft Internet Explorer presents you with a dialog either
• against these types of threats in Internet Explorer. We expect hackers and
• Microsoft "defends" ActiveX
• MS response to the activeX/quicken bug where downloaded activeX applets can

Volume 18 Issue 84

• Re: MS on the CCC ActiveX virus
• ActiveX - a real world view
• ActiveX exploitation code in iX 3/97
• Re: MS on the CCC ActiveX virus (RISKS-18.83)
• and remain changed. Other flaws in Explorer may be used to turn
• This is not accurate. The very nature of ActiveX makes it
• make attempts at providing improved protection, ActiveX is a
• No disguise is needed for malicious ActiveX programs. Any ActiveX
• Even if you choose wisely, ActiveX is a hole waiting to be exploited
• Re: MS on the CCC ActiveX virus (RISKS-18.83)
• ActiveX - a real world view
• While at a technical level, most of what has been said about ActiveX and
• than ActiveX.
• I'm using ActiveX on software.net (a restartable download control from
• ActiveX exploitation code in iX 3/97
• article by Lutz Donnerhacke and Steffen Peter about the ActiveX hack.

Volume 18 Issue 85

• Worcester Poly student finds Internet Explorer flaw
• German newspaper. I did not write the program!! That ActiveX translation
• Worcester Poly student finds Internet Explorer flaw
• Explorer 3.01 browsers (and possibly earlier versions?). The flaw can be
• triggered *without* using ActiveX, and even if IE is set to its highest
• technology (boy, that'll get me mail :-) found in Internet Explorer 3 and in
• Java VM and its attendant sandbox, has mechanisms for classifying ActiveX
• pages). These are designations assigned by the ActiveX component developers
• plug-ins, arbitrary EXEs, .Zip files, Java (system) classes, ActiveX
• respect to ActiveX apply equally to all these _other_ forms of application,
• attacked by a malicious ActiveX control, some piece of malicious or

Volume 18 Issue 86

• ActiveX security? TISK, TISK
• ActiveX security? TISK, TISK
• The recent comments about ActiveX and Authenticode have been useful and
• constructive, but have focused so far on how *an* ActiveX control operates.
• Consider two ActiveX controls. One provides a control similar to the Win95
• Consider a second ActiveX control that provides a "cron" facility. This
• would be possible to come up with a co-operating gang of ActiveX controls to
• ActiveX/Authenticode, however, does not seem to have such a potential. So
• tell me how to configure a Win95 system such that an ActiveX control (or
• Users of ActiveX are being encouraged (by Microsoft's documentation - I can
• ActiveX control is downloaded.
• attacking in this way. Now, all signed ActiveX controls are worth attacking.
• because it's effectively impossible to revoke a signed ActiveX control, if
• The basic problem is that the architecture of ActiveX effectively makes _all_
• attacks against ActiveX. Microsoft's response so far to concerns about
• ActiveX security has been one of denial and spin-doctoring; that has
• I entirely reject the claim that ActiveX provides the same level of
• passed to the application when it is installed. With ActiveX, you have no
• Let's be clear about this; an audit log is not feasible for ActiveX
• security mechanism, ActiveX with Authenticode has a rather big hole in it.
• First, there are no mechanisms to prevent a web page from invoking the ActiveX
• several weeks the page at http://www.digicrime.com/activex was happily
• invoking an ActiveX component referenced and downloaded by clients from the
• Internet Explorer, you were presented with an official looking seal from
• Second, ActiveX controls have no inherent protection from the problem of
• Combining these two features of ActiveX, Authenticode becomes largely
• ActiveX and Authenticode technology? None of the above I think. And even if
• because technologies like ActiveX are in their infancy and are not yet
• to patch an unrelated security bug in MSIE 3.0 (see Risks 18.85). Clearly

Volume 18 Issue 87

• Internet Explorer. They claim "this loophole allows an attacker to connect

Volume 18 Issue 88

• Two More Microsoft Internet Explorer Bugs
• Re: ActiveX security: The other side
• Two More Microsoft Internet Explorer Bugs
• why don't we look at the basic statement used to defend ActiveX?
• for example, than it is to verify and trust every ActiveX control which comes
• who ever writes or has a hand in every ActiveX control we use. In the
• Re: ActiveX security: The other side (Rath, RISKS-18.87)
• distribution system similar to ActiveX or FTP inc's CyberAgent I have done
• Looked at from this view point ActiveX vs Java can be seen as sort of

Volume 18 Issue 89

• ActiveX Security for Dummies
• anyway) or even below? How many people will happily allow an ActiveX applet
• However, both the ActiveX and Java communities can improve on the situation
• and run a Java applet or ActiveX control and let it access the catbox.
• unlike ActiveX, this can be done in a fine-grained incremental fashion as
• ActiveX Security for Dummies (Re: RISKS-18.85-86)
• The recent messages on ActiveX/Authenticode security have prompted me to
• ActiveX glee club, and seems to work:
• I think the parallels with ActiveX and Authenticode are obvious.

Volume 18 Issue 91

• points out that users of Microsoft Internet Explorer who enter a page with a

Volume 18 Issue 92

• MS Internet Explorer for NT security hole
• Tech journalists are more interested in crises like the Explorer bug than
• Microsoft's Internet Explorer. That's when I became the unwitting source of
• Explorer." Sort of like ActiveX without the code-signing.
• Microsoft on IE. "I want you to know that this isn't an ActiveX problem,"
• simple - just two flipped bits in IE's registry entries. Internet Explorer
• Explorer - it's the fact that people use the Windows operating system, which
• on the immediate problem - a bug (oh no!) in Internet Explorer.
• this bug in Internet Explorer and ActiveX. Microsoft goes to great pains to
• applications, and yet this one did. What about signed ActiveX components?
• MS Internet Explorer for NT security hole

Volume 18 Issue 94

• Warning to MSIE users
• Warning to MSIE users

Volume 19 Issue 01

• discussions about ActiveX and Java. -- Mark
• on the web, ActiveX and Java. Microsoft will set the standards and Netscape

Volume 19 Issue 04

• Re: aste-RISKS (Warning to MSIE users), RISKS 18.94

Volume 19 Issue 06

• YAAXF: Yet Another ActiveX Flaw
• YAAXF: Yet Another ActiveX Flaw
• Microsoft's ActiveX has security flaw, Sun says
• The demonstration ActiveX control *had* been signed.
• browser (where you normally type URLs). To customize your MSIE browser

Volume 19 Issue 09

• Re: YAAXF: Yet Another ActiveX Flaw
• Re: YAAXF: Yet Another ActiveX Flaw (Kennedy, RISKS-19.06)
• ActiveX objects don't attempt to prevent any action, beyond the security
• Sun says "specially written program containing ActiveX", what they really
• mean is simply an ActiveX object. What's specially written?
• to do that? Besides, its highly unlikely that the ActiveX object actually
• Finally, why we needed to hear from David Kennedy that the ActiveX object
• Stick to Risks. Accepting ActiveX objects across untrusted boundaries

Volume 19 Issue 13

• Explorer), and there's a bit of a twist to the tale. This particular
• into a rich computing experience. (See previous postings on ActiveX for an

Volume 19 Issue 14

• Internet Explorer runs arbitrary code: MIME type overridden
• Internet Explorer runs arbitrary code: MIME type overridden
• Microsoft Internet Explorer (3.x and 4.0) thinks that URLs of the form
• even if "Enable ActiveX controls and plug-ins" and "Run ActiveX scripts" are

Volume 19 Issue 18

• (java/javascript/activeX) security holes, right?
• Internet Explorer - 'GOOD TIMES' anyone?
• implementations found in Microsoft Internet Explorer 4.0 and Sun JDKs 1.1.1

Volume 19 Issue 21

• MSIE) insists however that 020 is actually equal to 16. Ok so I realised

Volume 19 Issue 22

• > Netscape (and MSIE) insists however that 020 is actually equal to 16.

Volume 19 Issue 25

• > (java/javascript/activeX) security holes, right?

Volume 19 Issue 26

• The dangers of Explorer-ation
• Using either Netscape 4 or Microsoft Internet Explorer 4 type "msnbc" in the
• The dangers of Explorer-ation
• noticed recently that several Microsoft products now use their Explorer
• of the "riskier" capabilities such as ActiveX and Java support - otherwise
• again, the only way to access the data on the CD was via Explorer with
• ActiveX and Java applet loading enabled.

Volume 19 Issue 27

• Re: The dangers of Explorer-ation
• Re: The dangers of Explorer-ation (Barnett, RISKS-19.26)
• Explorer with ActiveX, Scripting and Java turned on to get at the

Volume 19 Issue 29

• Yet Another Java Flaw-this time with MSIE?
• Yet Another Java Flaw-this time with MSIE?
• C-Net News is reporting a flaw with Microsoft's Internet Explorer 3.x and

Volume 19 Issue 30

• hard-drive. You need an ActiveX-enabled browser to use the feature.
• Then, the ActiveX component is downloaded and starts doing a "virus scan" of
• I checked out the site, their ActiveX component is digitally signed, but
• hard-drive to some random company's ActiveX component. In fact, this

Volume 19 Issue 38

• Composition Explorer (ACE), which was launched on Aug. 25th.

Volume 19 Issue 41

• Risks of installing Internet Explorer 4.0
• Risks of installing Internet Explorer 4.0
• cruddy in comparison with MSIE (not to mention all of the other software on
• in MSIE 4.0 that were intended to, in some sense, impede the software of
• Internet Explorer 4.0, including Netscape.
• ActiveX as the "new cutting edge" of web scripting. Apparently Microsoft's
• I guess since my own homebrew Foobar Explorer Web browser has the

Volume 19 Issue 46

• Internet Explorer 4 buffer-overflow security bug fixed
• Internet Explorer 4 buffer-overflow security bug fixed
• Explorer 4 discovered by DilDog at the University of Massachusetts,

Volume 19 Issue 47

• use Internet Explorer. Of course, I don't expect them to actually say that

Volume 19 Issue 48

• Risks of bundling in Microsoft Internet Explorer
• Risks of bundling in Microsoft Internet Explorer
• Internet Explorer. Some programs automatically install MS IE 3.0 during
• installation. If MS IE 4.0 is already installed, the resulting mess leaves
• I've also heard rumors that installing (at least one version of) MS IE will
• mismatched MSIE DLLs, but few people would understand why installing one

Volume 19 Issue 49

• Explorer 'res://' bug and the Pentium bug could be combined.
• A demonstration of the exploitation of the 'res://' Internet Explorer bug in

Volume 19 Issue 53

• Open Internet Explorer.
• Select "About Internet Explorer" from the help menu.
• pushes the words "Microsoft Internet Explorer 4.0" out of the way and

Volume 19 Issue 55

• ActiveX controls -- You just can't say no!
• ActiveX controls -- You just can't say no!
• I have had a glimpse of the ActiveX future and it is not a pretty picture.
• The MSNBC Web site (www.msnbc.com) uses an ActiveX control called the MSNBC
• Explorer is hell. The problem is that NewsBrowser control is present on
• installing the NewsBrowser control on your PC, Internet Explorer will
• ActiveX controls whether they like them or not.
• The problem here is a design flaw in ActiveX Authenticode system. It
• There is a simple solution to this problem in the ActiveX Authenticode
• system. Simply use Netscape Navigator which doesn't support ActiveX

Volume 19 Issue 56

• browser in Internet Explorer. Same corruption in the file. Telnet-ed to

Problems to:

you should not click here or here.