Internet Explorer BindToObject Mitigation

Applies To: Windows Server 2003 with SP1

What does BindToObject Mitigation do?

In Windows Server 2003 with Service Pack 1, the ActiveX security model is applied in all cases where URL binding is used to instantiate and initialize an object. The ActiveX security model allows controls to be marked as "safe for scripting" and "safe for initialization" and provides users with the ability to block or allow ActiveX controls by security zone, based on those settings. This allows greater flexibility and control of active content in Internet Explorer.

Who does this feature apply to?

• Web developers and network administrators need to be aware of these new restrictions to plan changes or workarounds for any possible impact to their Web site.

• Application developers should review this feature to plan to adopt changes in their applications.

• Users could be affected by sites that are not compatible with these stricter rules.

What new functionality is added to this feature in Windows Server 2003 Service Pack 1?

None. Existing security functionality is being extended.

What existing functionality is changing in Windows Server 2003 Service Pack 1?

ActiveX security model applied to URL object initializations

Detailed description

The most effective way to remove ActiveX safety vulnerabilities is to apply security policies consistently at the source of the URL binding: URLMON. Declaring an ActiveX control in an HTML page using the <object> tag and CODEBASE attribute is one commonly known example of using BindToObject. The same functionality is used by any component that wants to resolve a URL and get back a stream or object. The ActiveX security model is now applied to all object initializations with a URL as a source.

Why is this change important?

In the case of ActiveX controls, the ActiveX security model allows controls to be marked as "safe for scripting" or "safe for initialization" and provides users with the ability to block or allow ActiveX controls by zone, based on those settings. In earlier versions of Windows, this security framework was not applied in all cases where URL binding took place. Instead, the calling code was responsible for assuring the integrity and security of the control, which could often result in security vulnerabilities. There are now a number of public exploit variations that expose this exact issue by going through Internet Explorer to compromise vulnerabilities in the calling code.

What works differently?

The ActiveX security model is applied to all object initializations with a URL as a source, and the "Safe for initialization" tag is applied to all objects. This mitigation only applies to cases where Internet Explorer resolves a URL, instantiates an object, and initializes the object with data retrieved from that URL.

How do I resolve these issues?

Application compatibility problems should be minimal. Applications can opt out if they have their own security manager. For more information about opting out of this security model, see "Security Considerations: URL Security Zones API," on the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkId=21814.

Applications can also opt in or out of this mitigation using the feature control key FEATURE_SAFE_BINDTOOBJECT, as described in the topic Internet Explorer Using Feature Control Registry Settings with Security Zone Settings.

What settings are added or changed in Windows Server 2003 Service Pack 1?

Internet Explorer Object Caching