Add-ons I don't expect

[David Walker]

While looking at some friends' computers (trying to make sure they have
no malware) I have seen add-ons, in the Manage Add-Ons dialog, like
this:

HTML Document, Microsoft corporation, Enabled, ActiveX Control,
mshtml.dll
DHTML Edit Control Safe for Scripting, Microsoft Corporation, Enabled,
ActiveX Control, dhtmled.ocx

These seem strange because I don't think HTML is rendered by an ADD-ON
in IE -- it's part of the base functionality.

***I don't have this "HTML Document" ActiveX control add-on in my
system, and I can browse things just fine. *** This is what baffles me.
We both have Windows XP Pro SP2 with the most recent IE6 and all
security updates.

Even though it's a big improvement to have this Manage Add-Ons screen,
it's not clear whether some of these entries are supposed to be here.
I'm sure that mshtml.dll can function without being an ADD-ON to IE.

Can anyone clue me in on these things?

There is another strange one:

Microsoft Licensed Class Manager, Microsoft corporation, Enabled,
ActiveX Control, licmgr10,dll

Second question: When the Manage Add-Ons dialog box says "Microsoft" is
the publisher of an add-on, can we depend on that? Has the publisher
been verified with a certificate, or can any piece of software spoof the
Publisher name in that column of this dialog box?

Thanks.

David Walker

 

[Rob Parsons]

Hi David,

There are documented exploits for these 2 activex controls (search for
mshtml exploit) and I remember a security patch that flagged the kill byte
in the ActiveX Compatibility settings for mshtml to stop scripted popups.

So the first place to start with your friends puter is to ensure they have
all the latest patches. From your description it sounds like they are listed
in the 'Add-ins that have been used by Internet Explorer', so it appears
that they were loaded and used when your friend visited a malicious web page
so there are no components hanging around on the hard disk that you need to
uninstall.

You can download a free utility to check the ActiveX Compatibility values
from http://www.nirsoft.net/utils/acm.html

On my machines the mshtml.dll is flagged as disabled and the dhtml edit
control is enabled.

You may also like to check your friends Security Settings for the Internet
Zone. There is a new option for XP versions to 'Allow scripting of the Web
Browser control' - the default is disabled.


Regards.

 

[David Walker]

Hi David,

There are documented exploits for these 2 activex controls (search for
mshtml exploit) and I remember a security patch that flagged the kill
byte in the ActiveX Compatibility settings for mshtml to stop scripted
popups.

So the first place to start with your friends puter is to ensure they
have all the latest patches. From your description it sounds like they
are listed in the 'Add-ins that have been used by Internet Explorer',
so it appears that they were loaded and used when your friend visited
a malicious web page so there are no components hanging around on the
hard disk that you need to uninstall.

You can download a free utility to check the ActiveX Compatibility
values from http://www.nirsoft.net/utils/acm.html

On my machines the mshtml.dll is flagged as disabled and the dhtml
edit control is enabled.

You may also like to check your friends Security Settings for the
Internet Zone. There is a new option for XP versions to 'Allow
scripting of the Web Browser control' - the default is disabled.


Regards.

Thanks, I appreciate the info. I'll look at that page.

But what do these ActiveX controls actually do? Surely you don't need
an activeX control to render HTML.

David

 

[David Walker]

Hi David,

There are documented exploits for these 2 activex controls (search for
mshtml exploit) and I remember a security patch that flagged the kill
byte in the ActiveX Compatibility settings for mshtml to stop scripted
popups.

So the first place to start with your friends puter is to ensure they
have all the latest patches. From your description it sounds like they
are listed in the 'Add-ins that have been used by Internet Explorer',
so it appears that they were loaded and used when your friend visited
a malicious web page so there are no components hanging around on the
hard disk that you need to uninstall.

You can download a free utility to check the ActiveX Compatibility
values from http://www.nirsoft.net/utils/acm.html

On my machines the mshtml.dll is flagged as disabled and the dhtml
edit control is enabled.

You may also like to check your friends Security Settings for the
Internet Zone. There is a new option for XP versions to 'Allow
scripting of the Web Browser control' - the default is disabled.


Regards.

In other words, why do YOU need the DHTML edit control to browse Web
pages and I don't? That's the confusing part. On my system, the DHTML
edit control doesn't appear in that list, either enabled or disabled.

David

 

[Jon Kennedy]

The DHTML Edit Control:
http://msdn.microsoft.com/archive/en-us/samples/internet/browser/editcntrl/default.asp
Basically allows you to edit text, enter info, and do lots of other things
on web pages that use DHTML

The Microsoft Licensed Class Manager is an ActiveX control that is part of
Microsoft's Windows Genuine Advantage program.

From: http://www.microsoft.com/genuine/downloads/FAQ.aspx?displaylang=en
Q: What is an ActiveX control, and how is it used in the validation process?

A: An ActiveX control is a small, executable code package that users of
Internet Explorer can download and run on their PCs. The Windows Genuine
Advantage validation process uses the ActiveX control to check the
authenticity of your Windows software. If the ActiveX control successfully
validates your Windows software, it stores a special download key on your PC
for future use.