Ion 2.x or Ion 3.0
As the Microsoft Windows and Internet Explorer security landscape changes, Microsoft occasionally “kills” an old ActiveX control when that control is found to have serious security issues. These events typically occur when Microsoft releases a new browser and can occasionally occur at “Patch Tuesday” events when the security flaw is severe. However, many older web applications can rely on these old controls for functionality, and it is occasionally necessary to allow an older, less-secure ActiveX control to run for the sake of application compatibility. This article details how you can allow these old ActiveX controls to run when required.
To be clear, Microsoft only “kills” older controls when no other option is available. Applications that rely on these old, insecure ActiveX controls should be carefully monitored and updated when possible. Ion’s architecture allows you to run these old ActiveX controls only for the specific web appliciations that need them, but sometimes the security flaws in these ActiveX controls can be severe enough that we do not recommend using this method. It is recommended that you have a full understanding of the security implications of running these old ActiveX controls before allowing them to run in your environment.
Microsoft has posted a KB article entitled “How to stop an ActiveX control from running in Internet Explorer.” This is a great starting point for reading up on what killbits are and why Microsoft occasionally kills insecure ActiveX controls. Microsoft publishes new killbits occasionally, including in “Patch Tuesday” security updates when necessary.
Commonly-used ActiveX controls are occasionally killed off by new versions of Windows or Internet Explorer. One common example is DHTMLED.OCX, a Dynamic HTML Edit control used by many older applications for rich text editing. This control was “killed” by Microsoft in Windows Vista & Internet Explorer 7 (and later). Official guidance is to re-write applications that use this control with new, safer ActiveX controls. In cases where applications re-writes are not possible, it is possible to use Ion’s Custom Registry Manager to allow this type of ActiveX control to run, but just for the applications that need it.
Allowing an older ActiveX control to run requires using Ion’s “Custom Registry Manager” feature. Details on using this feature in general can be found in the KB article “Setting a custom registry value with Ion.” We strongly recommend, should you wish to allow an ActiveX control that has been disabled, that you only do so for web applications that you entirely own so that you do not expose the flawed ActiveX controls to the open Internet! Ion’s Custom Registry Manager feature will allow you to isolate the ActiveX control so it only runs at the web sites you designate.
To allow a killed ActiveX control to run for your application:
1. Identify the CLASS ID (CLSID) for the control you need to run. You can get the CLSID from the manufacturer. Sometimes you can also find the CLSID using the control’s friendly name. Go through the CLSID keys at HKEY_CLASSES_ROOT\CLSID until you find a ProgID key with a Default string that matches the friendly name. IE8 & IE9’s “Manage Add-ons” will show this information for controls it can load (ActiveX controls “killed” by killbits won’t show up in this list). To view the CLSID for an add-on inside IE8 or IE9, open “Manage Add-ons” from the browser, select the control in question and choose “More information” from the details. This window shows advanced information for Ion’s own Client add-on control, including its CLSID (shown near the middle of the window):
The ActiveX “kill bit” is represented in the registry by the DWORD value 0x00000400. The bit is set in the Compatibility Flags key at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\<CLSID of the ActiveX control>. You’ll need a valid flag to replace the kill-bit value. You can find a list of flags in Microsoft’s documentation. For this example and in most cases, it is safe to use the value “0x00800000” (COMPAT_SAFEFOR_LOADING)
2. Open Ion Configuration Manager. Open your Ion Project and select the Custom Registry Manager for the Ion profile you wish to change
3. Click “Add Custom Registry Entry…” in the Actions pane on the right
4. Change the Hive dropdown to “Local Machine” (short for HKEY_LOCAL_MACHINE)
5. In the Key field, type “SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\<CLSID of the ActiveX control>”, substituting the control’s CLSID and removing the quotation marks. Note that the CLSID includes the curly brackes ({}), so include those in the full path
7. Enter “Compatibility Flags” (no quotation marks) in the “Value Name” field
8. Change the Type dropdown to DWord
9. Type “0x00800000” (no quotation marks) in the “Value Data” field. Your Ion Configuration Manager window should look something like this (note that your CLSID will differ from the screenshot shown below):
10. Click “OK” to save this setting. You will now see your custom entry in the Manager, as shown here:
11. To test, click “Save Local Settings” from the “File” menu. This will allow your ActiveX control to work for applications you designate for this profile, but remain disabled for other websites.
Posted in: Ion Knowledge Base,
