Disable Active Scripting

Discussion in 'Windows Desktop Systems' started by damnyank, Sep 12, 2002.

  1. damnyank

    damnyank I WILL NOT FORGET 911

    Messages:
    2,359
    Location:
    Petal, Mississippi
    RE News article topic:
    IE 6 SP1 omits fixes for 20 outstanding flaws
    Posted by MdSalih on 10 Sep 2002 :click here

    The article says the work around is to Disable Active Scripting. I tried that and the first thing I noticed is that when trying to reply to a thread using the vB Code features (color,http:, etc) when I select one I do not get the Script Prompt box.

    I go back and Enable Active Scripting and I have the features available again.

    Is this how it is supposed to work - or do I have something else messed up?:confused
     
  2. Electronic Punk

    Electronic Punk Administrator Staff Member Political User Folding Team

    Messages:
    18,590
    Location:
    Copenhagen, Denmark
    I guess its a payoff whether you want to feel secure until they issue a proper fix or want to use VBcodes. Active scripting makes up alot of various codes that can be made use of - there just happens to be an annoying flaw every now and then
     
  3. damnyank

    damnyank I WILL NOT FORGET 911

    Messages:
    2,359
    Location:
    Petal, Mississippi
    Thanks for the info EP
     
  4. dave holbon

    dave holbon Moderator

    Messages:
    1,014
    Location:
    London England
    Without knowning which scripting service you are using this is from MS: -

    Much has been made about the security risks posed by Windows Script Host. The power and flexibility afforded by WSH can be used by forces of evil just as easily as they can be used to make your life simpler. Indeed, the infamous I Love You and Anna Kournikova e-mail worms were powered by VBScript attachments. You can make some simple changes that reduce the chance that you’ll accidentally run a nefarious script.
    As a first line of defence, be sure that the file name extension is always displayed for script files. (This would have tipped off many people who opened an e-mail attachment named Anna Kournikova.jpg.vbs. Because the extension is not displayed by default, many hopeful fans expected to see a picture of the tennis star.) Second, change the default action for scripts from Open to Edit. This causes the files to open harmlessly in Notepad if you double-click a file. To make these changes, follow these steps:

    1. In Windows Explorer choose Tools, Folder Options.
    2. Click the File Types tab.
    3. Select the JS (JScript Script File) file type and then click Advanced.
    4. Select the Always Show Extension check box.
    5. In the Actions list, select Edit and click Set Default. Then click OK.
    6. Repeat steps 3 through 5 for JSE (JScript Encoded Script File), VBE (VBScript Encoded Script File), VBS (VBScript Script File), and WSF (Windows Script File) file types.
    7. Click Close when you’ve secured all the script file types.

    Changing the default action to edit makes it more difficult to run scripts that show up as e-mail attachments, which is one of the most likely places to find a malevolent script. However, it also makes it more difficult to execute legitimate scripts from trusted sources: You must save the attachment and then, in Windows Explorer, right-click it and choose Open. You can use this same technique (right-click and choose Open) to run any script stored on your computer, but if you want to avoid that inconvenience for a script that you know to be harmless, simply create a shortcut to thescript. (Be sure the Target text in the shortcut’s properties dialog box begins with wscript.exe orcscript.exe; if you include only the script name, this trick won’t work.) Double-clicking the shortcut runs the script without further ado.

    Are you working in the .NET environment? It seems to me that by definition using VB features across a network relies on their implementation of the service and it’s integration with both the network protocols, and MS’s implementation, which is buggy.

    Whilst the above might not help in this instance it gives an insight into the thinking generally. There is a black-hole (security) here yet to be addressed.

    Why use one word when a hunderd will do.
    :)