Skip to main content
MSRC

Internet Explorer (IE)

MS08-050 : Locking an ActiveX control to specific applications.

Tuesday, August 12, 2008

MS08-050 concerns an ActiveX control that can be maliciously scripted to leak out personal information such as email addresses. There appeared to be no need for the control to have this behaviour so giving it a Kill-Bit seemed the correct approach to take. During the extensive testing that each security update undergoes, however, it became apparent that the Kill-Bit wasn’t ideal as it partially broke the Remote Assistance application.

Read More

The IE8 XSS Filter

Wednesday, July 02, 2008

Hello, our team and IE have recently collaborated on a new IE8 feature that was announced today – the XSS Filter. Check it out here: http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx This effort demonstrates our commitment to helping our product teams benefit from the knowledge we have gained while defending our products from attack. Stay tuned to our blog for more stories like this in weeks to come…

Read More

MS08-023: Same bug, four different security bulletin ratings

Wednesday, April 09, 2008

Security bulletin MS08-023 addressed two ActiveX control vulnerabilities, one in a Visual Studio ActiveX control and another in a Yahoo!’s Music Jukebox ActiveX control. The security update sets the killbit for both controls. For more about how the killbit works, see the excellent three-part series (1, 2, 3) from early February in this blog.

Read More

The Kill-Bit FAQ: Part 2 of 3

Thursday, February 07, 2008

It is very common for Microsoft security bulletins to include “Kill-Bits” to disable individual ActiveX controls / COM objects. Here is the second part of our three-part Kill-Bit FAQ. The Kill-Bit FAQ – Part 2 of 3 How do ActiveX Controls, OLE Controls, and COM Objects relate? An ActiveX control is an OLE control that is intended to be used inside a web browser.

Read More