March 22, 2005

Useless IE Dialog

I've actively been working on reducing my attack surface, so now I have it so that I'm prompted before running any ActiveX controls. Unfortunately, this is the dialog that I get.

IE Dialog: 'A script is accessing some software (an ActiveX control) on this page which has been marked safe for scripting.  Do you want to allow this?  [Yes/No]'

Now, while I'm glad I'm getting prompted, I've got some complaints.

1) What ActiveX control is being initialized? How am I to make an informed decision without having that information? In this case, it would be nice to know that it is the Messenger ActiveX control that is being activated, wouldn't it?

2) Where is the "Always Allow" and "Never Allow" selection for this particular ActiveX control? After I've made my informed decision about the ActiveX control, it would be nice to ensure that my option can persist.

3) The verbage is a bit off. The software in question (the ActiveX control) is not on the page...it's on my computer. The correct verbage should be something like "A script on this page wants to access some software on your computer (an ActiveX control) that has been marked safe for scripting."

4) It's a modal dialog, but even if IE is the top-most window, IE can make this modal dialog lose focus so that I can't just hit "N" on my keyboard. Usually, it happens when multiple ActiveX controls are on a single page and the dialogs queue up.

Regardless, please rewrite this dialog for IE7.

No comments: