This section discusses several things you can do to remove and minimize the risk from malicious ActiveX controls. These items listed were covered in Chapter 10, and aren’t covered in detail here:
Total security: Disable ActiveX, scripting of ActiveX objects, or Internet access
Use an antivirus scanner
Use latest browser version
Apply the latest security patches
Avoid malicious sites
Be aware of social engineered malicious code.
The following sections cover further items in more detail.
Running only the code you trust is a significant step in reducing your exposure to malicious mobile code. In the theoretical world of ActiveX, this means only running digitally signed code. With the Internet zone’s default security set, this is automatic. At a low setting, you will be prompted if you want to run unsigned code. With any other setting, unsigned code is discarded without any user notification.
Unfortunately, trusted and signed code fails the digital certification process all the time. Sometimes it can be something as little as web site name change (which is stored in the certificate), or an expired certificate. Most controls aren’t signed at all (see Figure 11-12). They come from legitimate vendors and are safe to use, but for whatever reason, the software programmers didn’t go through with the extra effort and money necessary to digitally sign the code. Thus, it is up to the user whether to accept the unauthenticated ...