ActiveX Security Questions

[Donna Schumann]

We are in the process of implementing IE5 for staff and on our public
access PCs. We have some questions about ActiveX. 

First, when we run IE5 with "High" security (e.g., with ActiveX disabled),
we encounter many web pages that cannot be displayed due to the security
settings. We can display these pages without any problems using Netscape
4.X. Why is this? Does Netscape ignore ActiveX? Or does Netscape have the
same vulnerabilities, but people aren't talking about them? Or ???

Second, can NTFS file permissions protect us from the security problems
with IE5 and ActiveX? This morning I was reading about the IE5 security
hole with ActiveX discovered by the Bulgarian hacker Georgi Guninski: The
following is from the ZD Net web page
(http://www.zdnet.com/zdhelp/stories/main/0,5594,2322425,00.html?chkpt=hpqs00104):

*****
"Guninski's discovery involves an ActiveX control, included with IE5, that
is designed to create "scriptlets" -- small programs that run on the
user's machine when he or she views a Web page or e-mail message. (The
control is called "Object for constructing type libraries for
scriptlets".) 

"Unfortunately, the ActiveX control has free access to the user's file
system and can easily be made to run amok, overwriting vital system files
or planting Trojan Horse programs within the system. Because Windows 95,
Windows 98 and Windows NT systems are all susceptible, the hole allows
anyone with a Web page to plant malicious programs such as Back Orifice or
Back Orifice 2000 on the system, invisibly taking it over." 
*****

When I checked out  Guninski's web page, he specifically said that he did
not know whether IE5 running on NT was affected. Does anyone on this list
know?

Thanks a lot! Regards, Donna

--------------------------------------------------------------
Donna Schumann                  Application System Specialist 
Timberland Regional Library     360-704-4542 FAX: 360-586-6838 
Olympia, Washington             schumann at timberland.lib.wa.us