Internet Explorer BindToObject Mitigation
Applies To: Windows Server 2003 with SP1
|The Microsoft Windows Server 2003 Internet Explorer Enhanced Security Configuration component (also known as Microsoft Internet Explorer hardening) reduces a server’s vulnerability to attacks from Web content by applying more restrictive Internet Explorer security settings that disable scripts, ActiveX components, and file downloads for resources in the Internet security zone. As a result, many of the security enhancements included in the latest release of Internet Explorer will not be as noticeable in Windows Server 2003 Service Pack 1. For example, the new Internet Explorer Notification Bar and Pop-up Blocker features will not be used unless the site is in a zone whose security setting allows scripting. If you are not using the enhanced security configuration on your server, these features will function as they do in Windows XP Service Pack 2.|
What does BindToObject Mitigation do?
In Windows Server 2003 with Service Pack 1, the ActiveX security model is applied in all cases where URL binding is used to instantiate and initialize an object. The ActiveX security model allows controls to be marked as "safe for scripting" and "safe for initialization" and provides users with the ability to block or allow ActiveX controls by security zone, based on those settings. This allows greater flexibility and control of active content in Internet Explorer.
Who does this feature apply to?
Web developers and network administrators need to be aware of these new restrictions to plan changes or workarounds for any possible impact to their Web site.
Application developers should review this feature to plan to adopt changes in their applications.
Users could be affected by sites that are not compatible with these stricter rules.
What new functionality is added to this feature in Windows Server 2003 Service Pack 1?
None. Existing security functionality is being extended.
What existing functionality is changing in Windows Server 2003 Service Pack 1?
ActiveX security model applied to URL object initializations
The most effective way to remove ActiveX safety vulnerabilities is to apply security policies consistently at the source of the URL binding: URLMON. Declaring an ActiveX control in an HTML page using the
<object> tag and
CODEBASE attribute is one commonly known example of using
BindToObject. The same functionality is used by any component that wants to resolve a URL and get back a stream or object. The ActiveX security model is now applied to all object initializations with a URL as a source.
Why is this change important?
In the case of ActiveX controls, the ActiveX security model allows controls to be marked as "safe for scripting" or "safe for initialization" and provides users with the ability to block or allow ActiveX controls by zone, based on those settings. In earlier versions of Windows, this security framework was not applied in all cases where URL binding took place. Instead, the calling code was responsible for assuring the integrity and security of the control, which could often result in security vulnerabilities. There are now a number of public exploit variations that expose this exact issue by going through Internet Explorer to compromise vulnerabilities in the calling code.
What works differently?
The ActiveX security model is applied to all object initializations with a URL as a source, and the "Safe for initialization" tag is applied to all objects. This mitigation only applies to cases where Internet Explorer resolves a URL, instantiates an object, and initializes the object with data retrieved from that URL.
How do I resolve these issues?
Application compatibility problems should be minimal. Applications can opt out if they have their own security manager. For more information about opting out of this security model, see "Security Considerations: URL Security Zones API," on the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=21814.
Applications can also opt in or out of this mitigation using the feature control key FEATURE_SAFE_BINDTOOBJECT, as described in the topic Internet Explorer Using Feature Control Registry Settings with Security Zone Settings.
What settings are added or changed in Windows Server 2003 Service Pack 1?
Internet Explorer Object Caching
|Setting name||Location||Previous default value||Default value||Possible values|
HKEY_LOCAL_MACHINE (or Current User)\Software \Microsoft \Internet Explorer\Main \FeatureControl \FEATURE_SAFE_BINDTOOBJECT
0 - Off
1 - On