Internet Explorer BindToObject Mitigation

IT Support Forum Forums Windows Windows Server 2003 R2 General Discussion Internet Explorer BindToObject Mitigation

This topic contains 0 replies, has 1 voice, and was last updated by  Webmaster 3 months, 1 week ago.

  • Author
    Posts
  • #2202

    Webmaster
    Keymaster

    The Microsoft Windows Server 2003 InternetExplorer Enhanced Security Configuration component (also known as
    Microsoft InternetExplorer hardening) reduces a server’s vulnerability to attacks from Web content by applying more
    restrictiveInternetExplorer security settings that disablescripts, ActiveX components,and file downloads for resources in the
    Internet security zone. As a result, many of thesecurity enhancements included in thelatest release of InternetExplorer will
    not beas noticeablein Windows Server 2003 Service Pack 1.For example, the new InternetExplorer Notification Bar and
    Pop-up Blocker features will not be used unless thesiteis in a zone whosesecurity setting allows scripting. If you are not
    using theenhanced security configuration on your server, thesefeatures will function as they do in Windows XP Service
    Pack 2.
    What does BindToObject Mitigation do?
    In Windows Server 2003 with Service Pack 1, the ActiveX security model is applied in all cases where URL binding is used to
    instantiateand initializean object.The ActiveX security model allows controls to be marked as “safefor scripting”and “safefor
    initialization”and provides users with theability to block or allow ActiveX controls by security zone, based on thosesettings.
    This allows greater flexibility and control of activecontent in InternetExplorer.
    Who does this feature apply to?
    Web developers and network administrators need to beaware of these new restrictions to plan changes or workarounds
    for any possibleimpact to their Web site.
    Application developers should review this featureto plan to adopt changes in their applications.
    Users could beaffected by sites thatare not compatible with thesestricter rules.
    What new functionality is added to this feature in Windows Server 2003 Service Pack 1?
    None.Existing security functionality is being extended.
    What existing functionality is changing in Windows Server 2003 Service Pack 1?
    ActiveX security model applied to URL object initializations
    Detailed description
    The mosteffective way to remove ActiveX safety vulnerabilities is to apply security policies consistently at thesource of the
    URL binding: URLMON. Declaring an ActiveX control in an HTML page using the tag and CODEBASE attributeis one
    commonly known example of using BindToObject.Thesamefunctionality is used by any component that wants to resolvea
    URL and get back a stream or object.The ActiveX security model is now applied to all object initializations with a URL as a
    source.
    Why is this change important?
    In thecase of ActiveX controls, the ActiveX security model allows controls to be marked as “safefor scripting” or “safefor
    initialization”and provides users with theability to block or allow ActiveX controls by zone, based on thosesettings. In earlier
    versions of Windows, this security framework was notapplied in all cases where URL binding took place. Instead, thecalling
    code was responsiblefor assuring theintegrity and security of thecontrol, which could often result in security vulnerabilities.
    Thereare now a number of publicexploitvariations thatexposethis exact issue by going through InternetExplorer to
    compromisevulnerabilities in thecalling code.
    What works differently?
    The ActiveX security model is applied to all object initializations with a URL as a source,and the”Safefor initialization” tag is
    applied to all objects.This mitigation only applies to cases whereInternetExplorer resolves a URL, instantiates an object,and
    initializes the object with data retrieved from that URL.
    How do I resolve these issues?
    Application compatibility problems should be minimal. Applications can opt out if they havetheir own security manager.For
    moreinformation about opting out of this security model, see”Security Considerations: URL Security Zones API,” on the
    Microsoft Web siteat http://go.microsoft.com/fwlink/?LinkId=21814.
    Applications can also opt in or out of this mitigation using thefeaturecontrol key FEATURE_SAFE_BINDTOOBJECT,as
    described in thetopic InternetExplorer Using Feature Control Registry Settings with Security ZoneSettings.
    What settings are added or changed in Windows Server 2003 Service Pack 1?
    InternetExplorer Object Caching
    Setting
    name
    Location Previous
    default
    value
    Default
    value
    Possible
    values
    IExplore.exe
    Explorer.exe
    WMPlayer.exe
    HKEY_LOCAL_MACHINE (or Current User)\Software\Microsoft \Internet
    Explorer\Main \FeatureControl \FEATURE_SAFE_BINDTOOBJECT
    None 1 0 – Off
    1 – On

You must be logged in to reply to this topic.