Hi everyone. I have noticed some security related stuff recently, regarding IE 11.
1) I have a personal small program that hosts IE and since it is not meant for any kind of commercial purposes, nor distribution, I have not enabled the local machine zone lockdown feature (actually none of the new sec. features, introduced in IE 6 for Windows
XP SP2). I used to install updates/libraries through the classic "ActiveX install" feature of IE. But recently I have found out it is not working anymore. A security warning is displayed because the library is not digitally signed. (Found this detail
out through trial and error). So I looked up the registry for the setting "Install Unsigned ActiveX..." (value: 1004 type: DWORD data: 1)
Currently it is set to "prompt" (1) , instead of "Allow" (0). Of course anyone can change it, but I would like to know what´s the point of changing this setting for a security zone that when "unlocked" (true for programs that
does not use the FEATURE LOCALMACHINE LOCKDOW) as far as I know, do allow reading of arbitrary local files, send their content to web servers and even run commands, at this time, more than a decade since the release of the lockdown feature ??
Additionally, the setting for installing signed ActiveX is still set to "Allow". As we know, there have been several attacks in the last decade, using stolen certificates to digitally sign malware and trick people into thinking they are legitimate.
That said, shouldn´t both settings be set to "Prompt" instead of "Allow"?? Or maybe just leave them set to "Allow", since malicious people are able to run code and, for instance, change this setting without user´s consent ?
This just didn´t make any sense, specially several years after the zone is "locked down" for critical programs like "IExplore.exe" itself. Do anyone agree/understand it?
2) Regarding the feature "RESTRICT_RES_TO_LMZ" :
When the local machine lockdown feature is enabled, any files referenced through the "RES:" URI, is placed in the "Internet" zone of IE, regardless of their location. When the feature "RESTRICT_RES_TO_LMZ" is enabled, shouldn´t
all "RES:" URIs be placed in the "local machine" zone, instead of the "Internet" zone ?
Currently it seems not to be working. If "local machine zone lockdown" and "restrict res to lmz" are enabled, "RES:" URIs are still placed in the "Internet" zone. If only the "restrict res to lmz" feature
is enabled, but the resource DLL has been downloaded from the Internet, it will be processed in the "Internet" zone, like any file that comes from the Internet. Thoughts?
3) A small question:
Regarding the "Trusted sites" zone, recently I have seen the "https://localhost/" URL added to this zone, on a machine running Windows 7 Ultimate always with all updated applied. Since I don´t have a local web server, nor the need to
place any sites in this zone, I just deleted. But have just found out it is there again. And...yesterday I applied the monthly security patch. So, was this URL added by a Microsoft update (for bultin programs and/or MS Office and/or MS Visual Studio Express
2013), or is it from some third party software?
If this was performed by some third party software and not any Microsoft software, please let me know, so I can perform a search here and try to detect what vendor did it.
Thanks in advance.