SideBar crashes when running ActiveX components that require approval

[Jon Abbott]

If a Gadget calls an ActiveX object that in IE prompts for authorization (ie
the prompt "To help protect your security, Internet Explorer has restricted
this webpage from running scripts or ActiveX controls that could access your
computer. Click here for options...") SideBar crashes.

Surely it should prompt or close the Gadget, not crash.

Two ways to reproduce this are with Java or Shockwave:

1. With Java

gadget.html:

<html>
<head>
<title>Crash by Java</title>
<style>
body {
width:120;
height:120;
}
</style>
</head>
<body>
<APPLET code="test.class" name="testjava" width=100% height=100%></APPLET>
</body>
</html>


test.class compiled from test.java:

import java.applet.*;

public class test extends Applet {
public void init()
{
}
}



2. With ShockWave

gadget.html

<html>
<head>
<title>Crash by ShockWave</title>
<style>
body {
width:120;
height:120;
}
</style>
</head>
<body>
<EMBED TYPE="application/x-shockwave-flash" src="test.swf" width=100%
height=100%>
</body>
</html>

test.swf can be any ShockWave app.

 

[Jon Abbott]

If a Gadget calls an ActiveX object that in IE prompts for authorization (ie
the prompt "To help protect your security, Internet Explorer has restricted
this webpage from running scripts or ActiveX controls that could access your
computer. Click here for options...") SideBar crashes.

Surely it should prompt or close the Gadget, not crash.

Two ways to reproduce this are with Java or Shockwave:

1. With Java

gadget.html:

<html>
<head>
<title>Crash by Java</title>
<style>
body {
width:120;
height:120;
}
</style>
</head>
<body>
<APPLET code="test.class" name="testjava" width=100% height=100%></APPLET>
</body>
</html>


test.class compiled from test.java:

import java.applet.*;

public class test extends Applet {
public void init()
{
}
}



2. With ShockWave

gadget.html

<html>
<head>
<title>Crash by ShockWave</title>
<style>
body {
width:120;
height:120;
}
</style>
</head>
<body>
<EMBED TYPE="application/x-shockwave-flash" src="test.swf" width=100%
height=100%>
</body>
</html>

test.swf can be any ShockWave app.

Spoke too soon, it's Shockwave and Java that crash it, Sidebar still crashes
with a "Mark of the Web" added to gadget.html.

 

[Bruce Williams [MSFT]]

Why do you think this is an authenticode issue, and not some other bug? (Is
there something that leads you to think that?) I ask, because I have seen a
crash in Flash where the version of Flash running has a stack overrun, which
Vista security measures detect and result in a forced crash. (This is the
DEP and NX support in the OS, if you're familiar with it.)

-Bruce

 

[Bruce Williams [MSFT]]

I don't understand, what's a "Mark of the Web"?

-Bruce

 

[Jon Abbott]

I don't understand, what's a "Mark of the Web"?

-Bruce

"Mark of the Web" - forced IE to not block ActiveX components on the page. Add
the following line to top of gadget.html:

<!-- saved from url=(0013)about:internet -->

 

[Jon Abbott]

Why do you think this is an authenticode issue, and not some other bug? (Is
there something that leads you to think that?) I ask, because I have seen a
crash in Flash where the version of Flash running has a stack overrun, which
Vista security measures detect and result in a forced crash. (This is the
DEP and NX support in the OS, if you're familiar with it.)

-Bruce

My mistake, as I said in the other post, it's not security causing it. Sidebar
has an issue when calling Flash or Java.

Flash, yes agreed DEP is killing Sidebar. Java is a similar issue.

 

[Bruce Williams [MSFT]]

I learn new things every day - thanks!

-Bruce