5

I have some ActiveX controls that are not supposed to run in the browser but only in my particular Front-End. I know that by setting the Kill-Bit I disable their execution in Internet Explorer and MS Office applications.

That is following the FAQ given by MS Part 1, Part 2 and Part 3. Now, I was assuming that ActiveX controls work only in Microsoft environments, as reported by Mozilla, but i noticed that I there are plugins Ex1, Ex2,... in the wild that let customers use ActiveX in Mozilla.

Therefore the question: Does the Kill-Bit cover these plugin cases as well? If not, what would be an alternative?

AviD
  • 72,138
  • 22
  • 136
  • 218
Phoenician-Eagle
  • 2,167
  • 16
  • 21
  • Alternative: Disallow user-installed software? – Iszi Jan 14 '11 at 15:30
  • Can you talk a bit more about why you have restricted them, and the threats you're worried about? Are you just trying to save your users from themselves? Or is the control somehow capable of being co-opted? In the latter case I assume it would be possible for someone to find a way to execute your controls if they really wanted to, e.g. by just removing the kill-bit. – nealmcb Jan 15 '11 at 22:06

1 Answers1

3

To my understanding the Kill-Bit mechanism is an opt-in mechanism for ActiveX. Programs have to explicitly support them. Microsoft's own documentation (link) states that the only way to blanket-kill an ActiveX control is with a Software Restriction Policy. Such a policy will restrict the execution of the ActiveX control by any process.

sysadmin1138
  • 2,033
  • 13
  • 16