Wednesday, August 31, 2011

An Unbelievably Stupid bit of Security:

This is an Internet Explorer 8 story. I have been keeping my security set to disable attempts to run ActiveX controls from websites. A rational person suggested that for some types of ActiveX control settings, I should change “disable” to “prompt”. That seemed reasonable; an app that wants to run the control will ask for permission, right?

Well, with hardly any apps running, we started to see a prompt something like this, renewed every three seconds: Would you like to permit ActiveX controls to run? After answering NO to about fifty of these message boxes, I realized what was wrong, and changed my IE8 stteings back to Disable.

Now please note that the message box identified only “Internet Explorer”. That program was not even running as an application, so evidently some program or service in the background was trying to run it. That program did not identify itself, nor did it tell me what control it proposed to run. How am I supposed to give informed permission?

Note to Microsoft: when you allow a program to ask the user for permission to do something, the program and the requested action need to be identified.

Further note to Microsoft: If you can’t keep the same program from annoying the user every few seconds, don’t let it annoy the user at all.
Post a Comment