[30796] in bugtraq
RE: Windows Update - Unsafe ActiveX control
daemon@ATHENA.MIT.EDU (Drew Copley)
Thu Jul 17 15:50:18 2003
From: "Drew Copley" <dcopley@eeye.com>
To: "'Jackson, Chris'" <CJackson@bridgecom.com>,
"'Siddhartha Jain(IT)'" <SiddharthaJ@bankmuscat.com>,
"'BUGTRAQ@SECURITYFOCUS. COM'" <BUGTRAQ@securityfocus.com>
Date: Thu, 17 Jul 2003 11:09:59 -0700
Message-ID: <001701c34c8e$a2f26f10$2b02a8c0@dcopley>
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
In-Reply-To: <28BDBE0CC1D28149A5765F27757ED1D407A5D1@mystique.natasha.bridgecomtel.com>
You should not enable "unsafe activex", in order to get Windows Update
to work, however.
http://*.windowsupdate.com , http://download.microsoft.com,
http://windowsupdate.microsoft.com , https://download.microsoft.com, and
http://*.windowsupdate.com should all be enabled in trusted sites zone.
This is by default on Windows 2003.
Some references which are a good rule of thumb:
http://msdn.microsoft.com/library/default.asp?url=/workshop/security/szo
ne/overview/esc_changes.asp
Windows 2003 does have a good system in this way for the paranoid. It
disables activex and activescripting, but it allows for Windows Update
to properly work. Its' settings are documented in the above url.
> -----Original Message-----
> From: Jackson, Chris [mailto:CJackson@bridgecom.com]
> Sent: Thursday, July 17, 2003 10:35 AM
> To: 'Siddhartha Jain(IT)'; BUGTRAQ@SECURITYFOCUS. COM
> Subject: RE: Windows Update - Unsafe ActiveX control
>
>
> > "An ActiveX control on this page is not safe. Your current security
> settings
> > prohibit running unsafe controls on this page. As a result,
> this page
> > may not display as intended." So Microsoft expects me download
> > critical patches using an unsafe ActiveX control??
>
> Safe for Scripting indicates that a control does not access
> files, memory, or registers directly. The only purpose of the
> Windows Update control is to access (and update) files
> directly, so it should not be marked as safe for scripting.
>
> --
> Chris Jackson
> Software Engineer
> Microsoft MVP
> --
>
>
