Internet Explorer BindToObject Mitigation

IT Support Forum Forums Windows Windows Server 2003 R2 General Discussion Internet Explorer BindToObject Mitigation

Viewing 0 reply threads
  • Author
    • #2202

      The Microsoft Windows Server 2003 InternetExplorer Enhanced Security Configuration component (also known as
      Microsoft InternetExplorer hardening) reduces a server’s vulnerability to attacks from Web content by applying more
      restrictiveInternetExplorer security settings that disablescripts, ActiveX components,and file downloads for resources in the
      Internet security zone. As a result, many of thesecurity enhancements included in thelatest release of InternetExplorer will
      not beas noticeablein Windows Server 2003 Service Pack 1.For example, the new InternetExplorer Notification Bar and
      Pop-up Blocker features will not be used unless thesiteis in a zone whosesecurity setting allows scripting. If you are not
      using theenhanced security configuration on your server, thesefeatures will function as they do in Windows XP Service
      Pack 2.
      What does BindToObject Mitigation do?
      In Windows Server 2003 with Service Pack 1, the ActiveX security model is applied in all cases where URL binding is used to
      instantiateand initializean object.The ActiveX security model allows controls to be marked as “safefor scripting”and “safefor
      initialization”and provides users with theability to block or allow ActiveX controls by security zone, based on thosesettings.
      This allows greater flexibility and control of activecontent in InternetExplorer.
      Who does this feature apply to?
      Web developers and network administrators need to beaware of these new restrictions to plan changes or workarounds
      for any possibleimpact to their Web site.
      Application developers should review this featureto plan to adopt changes in their applications.
      Users could beaffected by sites thatare not compatible with thesestricter rules.
      What new functionality is added to this feature in Windows Server 2003 Service Pack 1?
      None.Existing security functionality is being extended.
      What existing functionality is changing in Windows Server 2003 Service Pack 1?
      ActiveX security model applied to URL object initializations
      Detailed description
      The mosteffective way to remove ActiveX safety vulnerabilities is to apply security policies consistently at thesource of the
      URL binding: URLMON. Declaring an ActiveX control in an HTML page using the tag and CODEBASE attributeis one
      commonly known example of using BindToObject.Thesamefunctionality is used by any component that wants to resolvea
      URL and get back a stream or object.The ActiveX security model is now applied to all object initializations with a URL as a
      Why is this change important?
      In thecase of ActiveX controls, the ActiveX security model allows controls to be marked as “safefor scripting” or “safefor
      initialization”and provides users with theability to block or allow ActiveX controls by zone, based on thosesettings. In earlier
      versions of Windows, this security framework was notapplied in all cases where URL binding took place. Instead, thecalling
      code was responsiblefor assuring theintegrity and security of thecontrol, which could often result in security vulnerabilities.
      Thereare now a number of publicexploitvariations thatexposethis exact issue by going through InternetExplorer to
      compromisevulnerabilities in thecalling code.
      What works differently?
      The ActiveX security model is applied to all object initializations with a URL as a source,and the”Safefor initialization” tag is
      applied to all objects.This mitigation only applies to cases whereInternetExplorer resolves a URL, instantiates an object,and
      initializes the object with data retrieved from that URL.
      How do I resolve these issues?
      Application compatibility problems should be minimal. Applications can opt out if they havetheir own security manager.For
      moreinformation about opting out of this security model, see”Security Considerations: URL Security Zones API,” on the
      Microsoft Web siteat
      Applications can also opt in or out of this mitigation using thefeaturecontrol key FEATURE_SAFE_BINDTOOBJECT,as
      described in thetopic InternetExplorer Using Feature Control Registry Settings with Security ZoneSettings.
      What settings are added or changed in Windows Server 2003 Service Pack 1?
      InternetExplorer Object Caching
      Location Previous
      HKEY_LOCAL_MACHINE (or Current User)\Software\Microsoft \Internet
      Explorer\Main \FeatureControl \FEATURE_SAFE_BINDTOOBJECT
      None 1 0 – Off
      1 – On

Viewing 0 reply threads
  • You must be logged in to reply to this topic.