From: Alan Ramsbottom [ACR@ALS.CO.UK] Sent: Monday, February 21, 2000 5:52 PM To: BUGTRAQ@SECURITYFOCUS.COM Subject: Re: Microsoft signed software can be install software without pro mpting users > From: "Juan Carlos Garcia Cuartango" > > I have prepared a demo in > http://www.angelfire.com/ab/juan123/iengine.html Which says: "How to close the back door Disable the "Download signed ActiveX" security option". But this solution will also forbid other software manufacturers to offer you their software in the clear way, that is : asking before install. As usual, you can also disable JavaScripting as an alternative to the first solution." Disabling the specific control rather than all component download or jscript might be preferable for some folk. When Juan found the problem with the DHTML Edit control last year, someone from MS intriguingly mentioned "classid revocation" as a means to disable a specific control. We didn't get any useful details at the time, but some info finally surfaced in the MS KB article Q240797. NB: I've only tested this under W2K+IE5 and don't blame me if things break: 1) Run up a registry editor and go to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\ 2) Create a new key based on the CLSID of the Active Setup controls: {6E449683-C509-11CF-AAFA-00AA00B6015C} 3) Under your new key, create the REG_DWORD value: Compatibility Flags 0x00000400 This sets the "kill bit" for the Active Setup control i.e. stops it from being run via IE. This can be reversed by deleting the value or the whole of your new key. PS: Does anyone know the definitions for the other flag bits? -Alan-