Access交流网
  • 设为首页|收藏本站|繁体中文|手机版
  •     
  • Access培训-Access开发平台-Access行业开发

  • 首页
  • 资讯
  • 技巧
  • 源码
  • 行业
  • 资源
  • 活动
  • 关于

技巧

ACCESS数据库

启动/设置/选项/背景

修复/压缩

安全/加密/解密

快捷键

版本升级/其它等

数据表

命名方式/设计规范

表设计

查询

Sql语言基础

选择查询

更新查询

删除查询

追加查询

生成表查询

交叉表查询

SQL特定查询

查询参数

查询综合应用

界面/窗体/控件

标签

文本框

命令按钮

组合框/列表框

选项组/复选框/选项按钮

选项卡

子窗体

窗体本身/综合应用

其它

报表打印

报表设计

高级报表

模块/函数/VBA/API/系统

VBA基础

内置函数

调试/跟踪/Debug

模块/类模块

API/COM/系统相关

字符数字日期

网络通信游戏

加密解密安全

文件处理

经典算法

宏/菜单/工具栏/功能区

宏/脚本

菜单/工具栏

功能区/Ribbon

图表/图形/图像/多媒体

图表

图形/图像

音频

视频/动画

DAO/链接表/ADO/ADP

DAO/链接表/ODBC

ADO/RDO

ADP

ActiveX/第三方控件/插件

Treeview树控件

ListView列表控件

Toolbar工具栏控件

微软其它控件

Dbi-Tech

CodeJock

Grid++Report

FastReport

ComponentOne

加载项/插件/Addin

OFFICE集成/导入导出/交互

Excel导入导出/交互

Word导入导出/交互

PPT交互

Outlook控制/邮件

Text文本文件/INI/CSV

PDF/SWF/XML格式

CAD格式

Sharepoint/其它Office

SqlServer/其它数据库

表

视图

存储过程/触发器

函数

用户/权限/安全

调试/维护

SqlServer其它/综合

发布/打包/文档/帮助

开发版/运行时

打包/发布/部署

开发文档/帮助制作

Access完整行业系统

采购管理系统

销售管理系统

仓库管理系统

人力资源管理HRM

CRM管理系统

MRP/ERP管理系统

BRP/流程优化

其它管理系统

心得/经验/绝招
其它/杂项
Excel技巧

Excel应用与操作

Excel开发编程

Word技巧

Word应用与操作

Word开发编程

Outlook技巧

Outlook应用与操作

Outlook开发编程

热门文章

  • 一个可免注册的Access..
  • 三小时掌握TREEVIEW..
  • 第三方ActiveX控件L..
  • Access中使用Tree..
  • The Kill-Bit FAQ: Part 3 o..
  • TreeView控件使用教..

最新文章

  • 在Access中使用Fon..
  • 完美解决“无法装载这个对象..
  • 快速学习Treeview树..
  • 一个可免注册的Access..
  • Access如何添加引用及..
  • 锐浪报表(Grid++Re..

联系方式

Access交流网(免费Access交流)

QQ:18449932 

网  址:www.access-cn.com

当前位置:首页 > 技巧 > ActiveX/第三方控件/插件
ActiveX/第三方控件/插件

The Kill-Bit FAQ: Part 3 of 3

原文: http://blogs.technet.com/b/srd/archive/2008/02/08/the-kill_2d00_bit-faq_3a00_-part-3-of-3.aspx

It is very common for Microsoft security bulletins to include “Kill-Bits” to disable individual ActiveX controls / COM objects. Here is the final part of our three-part Kill-Bit FAQ.

The Kill-Bit FAQ – Part 3 of 3

Are there issues that could complicate the implementation of a Kill-Bit based fix?

Yes. Here’s one interesting example: if the vulnerable code is in a separate binary from the one that implements the ActiveX control (the one referenced by the registered CLSID for the control) then the Kill-Bit may not have the intended effect.

Per the top portion of Figure 1 below, imagine Control AX.1 references some vulnerable code in DLL.1. The proposed fix plan is as follows:

  • The code in DLL.1 will be fixed and released as DLL.2.
  • A Kill-Bit / Phoenix-Bit will be released for AX.1 to redirect to AX.2 which has a brand new CLSID.
  • The new binaries, DLL.2 and AX.2, will be bundled together in one fix package.

Now imagine that the old DLL B.1 binary is dropped onto the system and registered. The system is now in a “downgraded” and vulnerable state, as depicted in Figure 1. The Kill-Bit does not automatically address this problem because even the new “fixed” AX.2 can still reference the old vulnerable DLL.1.

 

image

Figure 1

Consequently, in the event that you need to fix a vulnerable control and the vulnerable code is actually in a separate binary, make sure that the new control is not able to use the old / vulnerable binary even if that binary is reintroduced onto the system. You can achieve this by performing a handshake or version check between the new control and the new / fixed binary.

You should always carefully consider the applicability of the Kill-Bit before deciding to use it. For example, if an attack vector exists through a non-Kill-Bit-aware application then a Kill-Bit obviously will not be effective. See “If I Kill-Bit my vulnerable object / control, should I still release a fixed version?” in part 2.

Thanks to Matt Thomlinson for providing Figure 1 above!

Can I lock my ActiveX control down to a specific web site as an additional security measure?

Yes, use SiteLock. Try to avoid implementing this functionality from scratch – there are many ways to get this wrong.

SWI recommends using SiteLock only as “defense-in-depth” as it is not bulletproof. (For example, if a Cross-Site Scripting flaw exists anywhere on the domain it can potentially be abused to bypass this restriction.)

Where are some additional resources on ActiveX Controls?

Most relevant to this FAQ:

  • ActiveX Security: Improvements and Best Practices
  • How to stop an ActiveX control from running in Internet Explorer
  • Designing Secure ActiveX Controls
  • Safe Initialization and Scripting for ActiveX Controls
  • About IObjectSafety Extensions for Internet Explorer

Other good stuff:

  • How To Implement IObjectSafety in Visual Basic Controls
  • SafeCtl.exe implements IObjectSafety in ActiveX control
  • INFO: Accessing the Object Model from Within an ActiveX Control
  • IE Blog Entry on SiteLock Template for ActiveX Controls
  • INFO: Difference Between OLE Controls and ActiveX Controls
  • OLE Controls and Control Containers Guidelines, Version 1.1

- Security Vulnerability Research & Defense Bloggers

发布人:admin  
分享到:
点击次数:  更新时间:2013-10-01 21:08:45  【打印此页】  【关闭】
上一条:Access中treeview不能使用或提示没有版权(License)的解决办法  下一条:The Kill-Bit FAQ: Part 2 of 3



相关文章

  • • 在Access中使用Font Awesome字符图标
  • • 完美解决“无法装载这个对象”的困扰
  • • 快速学习Treeview树状控件的详细教程
  • • 一个可免注册的Access增强控件库
  • • Access如何添加引用及调整引用的顺序
  • • 锐浪报表(Grid++Report)的一些开发技巧
  • • Grid++Report 锐浪报表开发常见问题解答集锦
  • • RichTextbox控件RTF(富文本格式)的使用及常用语法

热门文章

  • [2013-07-15] [技巧]如何导出Imagelist的图标或图片到文件access数据库
  • [2016-09-27] Grid++Report 锐浪报表开发常见问题解答集锦access数据库
  • [2016-12-04] Access如何添加引用及调整引用的顺序access数据库
  • [2004-01-07] Access在DataGrid中顯示DataComboaccess数据库
  • [2004-01-07] datagrid想得到所在‘行’的其他任意列的文本access数据库
  • [2004-08-18] Access一个电子地图的例子access数据库

热门产品

公司动态|在线留言|在线反馈|友情链接|会员中心|站内搜索|网站地图

Access交流网 版权所有 1999-2018 粤ICP备10043721号

QQ:18449932

Access应用 Access培训 Access开发 Access平台

access|数据库|access下载|access教程|access视频|access软件

Powered by MetInfo 5.3.12 ©2008-2023  www.metinfo.cn