One of the most powerful tools that malware authors have had at their disposal is an ActiveX control. At one time, malware authors commonly developed malicious ActiveX controls and tried to trick their victims into installing them. Today, security features built into IE and into third-party anti-malware software greatly reduced the practice of installing malicious ActiveX controls.
A lot of people don't realize that there are a number of ActiveX controls built into IE6. Although these built-in controls are not malicious in and of themselves, they are frequently used as components in malware attacks.
In Internet Explorer 7, Microsoft disabled almost all of the built in ActiveX controls by default. If a Web site needs to use a control, Microsoft notifies the user through the information bar and has the option of enabling the control.
ActiveX controls can also be manually enabled or disabled through the Add-on Manager, which is accessible through Internet Explorer's Tools menu. As you can see in Figure C, the Add-on Manager allows you to manually enable or disable ActiveX controls individually.
Figure C: Add-on Manager allows you to enable or disable ActiveX controls individually.
The Information Bar
The Information Bar in IE6 notifies the user when Internet Explorer has taken action against a possible security exploit. One change made to the information bar in IE7 is that it is now color-coded. For example, if IE7 is absolutely confident in a site's identity because the site is using a high-assurance certificate, then the information bar is presented in green. On the other hand, if a site is a known phishing site, then the information bar is presented in red.
Another minor, but security-oriented change to the IE user interface is that all browser windows now contain an address bar. This helps prevent malicious pop-up windows from appearing to be part of a legitimate Web site.
These forms of protection are built in to IE7 and are non-configurable.
One last non-configurable, behind the scenes security feature that I want to talk about is cross-domain barriers. In order to prevent malicious code from taking advantage of holes in poorly coded legitimate Web sites, IE7 and its cross-domain protection feature prevents scripts on a Web site from interacting with sites located at other domains.
Configuring IE7 security on Vista
Step 1: General security configuration
Step 2: Phishing filter
Step 3: Protection against international domain names, URL handling
Step 4: ActiveX opt-ins, information bar and cross-domain protection
Step 5: Windows Vista and IE7
ABOUT THE AUTHOR: Brien M. Posey, MCSE, MVP
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit his personal Web site at www.brienposey.com. Copyright 2006 TechTarget
This was first published in September 2008