lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Thu, 17 Jul 2003 11:09:59 -0700
From: "Drew Copley" <dcopley@...e.com>
To: "'Jackson, Chris'" <CJackson@...dgecom.com>,
	"'Siddhartha Jain(IT)'" <SiddharthaJ@...kmuscat.com>,
	"'BUGTRAQ@...URITYFOCUS. COM'" <BUGTRAQ@...urityfocus.com>
Subject: RE: Windows Update - Unsafe ActiveX control


You should not enable "unsafe activex", in order to get Windows Update
to work, however. 

http://*.windowsupdate.com , http://download.microsoft.com,
http://windowsupdate.microsoft.com , https://download.microsoft.com, and
http://*.windowsupdate.com should all be enabled in trusted sites zone.
This is by default on Windows 2003.

Some references which are a good rule of thumb:
http://msdn.microsoft.com/library/default.asp?url=/workshop/security/szo
ne/overview/esc_changes.asp

Windows 2003 does have a good system in this way for the paranoid. It
disables activex and activescripting, but it allows for Windows Update
to properly work. Its' settings are documented in the above url.



> -----Original Message-----
> From: Jackson, Chris [mailto:CJackson@...dgecom.com] 
> Sent: Thursday, July 17, 2003 10:35 AM
> To: 'Siddhartha Jain(IT)'; BUGTRAQ@...URITYFOCUS. COM
> Subject: RE: Windows Update - Unsafe ActiveX control
> 
> 
> > "An ActiveX control on this page is not safe. Your current security
> settings
> > prohibit running unsafe controls on this page. As a result, 
> this page 
> > may not display as intended." So Microsoft expects me download 
> > critical patches using an unsafe ActiveX control??
> 
> Safe for Scripting indicates that a control does not access 
> files, memory, or registers directly. The only purpose of the 
> Windows Update control is to access (and update) files 
> directly, so it should not be marked as safe for scripting.
> 
> -- 
> Chris Jackson
> Software Engineer
> Microsoft MVP
> -- 
> 
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ