One of the most powerful tools that malware authors have had at their disposal is an ActiveX control. At one time, malware authors commonly developed malicious ActiveX controls and tried to trick their victims into installing them. Today, security features built into IE and into third-party antimalware software greatly reduced the practice of installing malicious ActiveX controls.
A lot of people don't realize that there are a number of ActiveX controls built into IE6. Although these built-in controls are not malicious in and of themselves, they are frequently used as components in malware attacks.
In Internet Explorer 7, Microsoft disabled almost all of the built in ActiveX controls by default. If a Web site needs to use a control, Microsoft notifies the user through the information bar and has the option of enabling the control.
ActiveX controls can also be manually enabled or disabled through the Add-on Manager, which is accessible through Internet Explorer's Tools menu. As you can see in Figure C, the Add-on Manager allows you to manually enable or disable ActiveX controls individually.
Figure C: Add-on Manager allows you to enable or disable ActiveX controls individually.
The Information Bar
The Information Bar in IE6 notifies the user when Internet Explorer has taken action against a possible security exploit. One change made to the information bar in IE7 is that it is now color-coded. For example, if IE7 is absolutely confident in a site's identity because the site is using a high-assurance certificate, then the information bar is presented in green. On the other hand, if a site is a known phishing site, then the information bar is presented in red.
Another minor, but security-oriented change to the IE user interface is that all browser windows now contain an address bar. This helps prevent malicious pop-up windows from appearing to be part of a legitimate Web site.
These forms of protection are built in to IE7 and are non-configurable.
One last non-configurable, behind the scenes security feature that I want to talk about is cross-domain barriers. In order to prevent malicious code from taking advantage of holes in poorly coded legitimate Web sites, IE7 and its cross-domain protection feature prevents scripts on a Web site from interacting with sites located at other domains.
Configuring IE7 security on Windows Vista
General security configuration
The Phishing filter
International domain names, URL handling
ActiveX, Information bar, cross-domain protection
Security features on the Windows Vista version of IE7
About the author
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Brien has served as the CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies.
This tip originally appeared on SearchWindowsSecurity.com.
Dig deeper on Application security and data protection