IE Security Update: Impact to Security and Compatibility


We’ve heard some concerns about the potential impact of recent IE updates, and I want to give you background on these updates so you can understand the impact.

It is a top goal of ours to keep users safe and web pages working as the author intended. The great majority of users and developers should not be negatively impacted by recent IE security changes. However, there is potential for any code change to change how a web page works, which is why we are very careful about deciding what changes we release.

The two most recent IE security updates, MS05-038 and MS05-052, include defense-in-depth improvements that help prevent malicious web pages from loading and manipulating ActiveX controls that were not meant to run in IE. Prior to MS05-038 and MS05-052, IE included two main security checks around whether an ActiveX control can load and be manipulated by a web page:

1. Only allow ActiveX controls to load if they are not in the registry-stored “killbit” list
2. Only allow loaded ActiveX controls to be manipulated if they have implemented IObjectSafety and therefore “promised” they can be safely scripted IEBlog : IE Security Update Impact to Security and Compatibility

Linked by shanmuga Friday, 4th November 2005 9:33PM