MFC and CDHTMLDialog vs xp SP2...
From: Gilles Racine (digitinf_at_aei.ca)
Date: 03/10/04
- Next message: Joseph M. Newcomer: "Re: newbie: handle to window"
- Previous message: Jim McGill: "Re: SetActiveView question"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 10 Mar 2004 18:18:55 -0500
To someone who could know,
I'm developping an application with heavy use of the MFC's CDHMLDialog
component (lots of DHTML and js in IE...). Looking at the new security
restrictions annonced by the XP SP2, I would like to be sure that such
framework will NOT raise a security dialog box saying that such application
could contain malicious script (JS for instance) or whatever.
I feel on the right side of the fence looking at the Microsoft's document
« Changes to Functionality in Service Pack 2 for Microsoft Windows XP »
(version of February 20). But I'm not that sure. For instance, what does the
following extract from that document really say?
« By default, Local Machine Lockdown is not enabled for non-Internet
Explorer processes, and developers will need to register their applications
to take advantage of the changes. Application developers that do not use
this mitigation should independently review their applications for Local
Machine zone attack vectors. » [More extracts at the end of this message].
Does it mean that if I register my MFC application (containing IE+DHTML+JS)
to be a good citizen in XP that THEN my users will see a warning dialog box
to the effect that malicious script could be executed?
It's a little ironic knowing that a C++ application could do much more
damage than innocent JS scripts that DO NOT use any ActiveX controls...!
But is there anything I'm interpreting incorrectly here? Could it be that
straight MFC applications are safer under SP2?
Thanks for any clue or help!
Gilles [zakoops@look.ca]
------------------------------------------
Extract from « Changes to Functionality in Service Pack 2 for Microsoft
Windows XP »:
« If your local HTML content currently runs inside of Internet Explorer and
experiences problems due to this mitigation, you could save your content as
an HTA (HTML application) file and try to execute the file again in the
Local Machine zone. HTAs are hosted in a different process and therefore are
not impacted by the mitigation. However, HTAs run with full privileges so
they can be dangerous. Caution should be taken to now allow untrusted code
to run in this manner.
You can a "mark of the Web" comment placed in the HTML file to their Web
pages. For example, you might add <!-- saved from
url=(0023)http://www.contoso.com/ --> to a Web page, where the (0023) value
is the string length of your URL that follows it and Contoso is the name of
your website. When Internet Explorer loads the file, it looks for a "saved
from URL" comment, then reads the URL and uses the zone settings on the
computer to determine what security policy to apply to the Web page. This
Internet Explorer feature allows the HTML files to be forced into a zone
other than the local zone, so that they can be assigned to the Internet zone
and, with those reduced security privileges, run the script or ActiveX code.
An alternative is to create a separate application that hosts the HTML
content Internet Explorer Web Object Control (WebOC). The HTML is then no
longer bound by the same rules that apply to content run in Internet
Explorer. When the HTML content runs in that other process, it can have full
rights as defined by the developer or zone policy for that process. »
- Next message: Joseph M. Newcomer: "Re: newbie: handle to window"
- Previous message: Jim McGill: "Re: SetActiveView question"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
