Running Activex control and Maintaining security

Question

Hi Techies,

In my a web application, I have a part to invoke an activex control .The Activex control is available in all the client PCs who are accessing my web application from web server. But When trying to run this ActiveX control from the browser in client machine (using Wshell), It was not getting invoked since "Run Activex Controls and Pluggins" are disabled in my browser. So I changed the browser settings to enable mode and Then the Activex control gave me the expected output. I afraid that this change in browser settings would allow any other website to harm my system. How could I get rid of this problem? Any thoughts? Thanks in advance

Answer 1

There had been a lotta secutiry changes introduced from Vista + IE7 onwards. Where in the IE starts in the procted mode, which helps protect users from attack by running the Internet Explorer process with greatly restricted privileges. Protected Mode significantly reduces the ability of an attack to write, alter or destroy data on the user's machine or to install malicious code.

More details : http://msdn.microsoft.com/en-us/library/bb250462.aspx#wpm_aarwm

So developers have to modify the applications to confirm to the new standards like starting the process from the plugin - sending widows messages from LI(Low Intergirty) to HI process etc.

Answer 2

You can digitally sign your ActiveX so that users do not have to compromise the security of their browser too much in order to allow it to run. But, essentially, ActiveX isn't very secure and these problems always pop up when you choose ActiveX...