The two most recent IE security updates, MS05-038 and MS05-052, include defense-in-depth improvements that help prevent malicious web pages from loading and manipulating ActiveX controls that were not meant to run in IE. Prior to MS05-038 and MS05-052, IE included two main security checks around whether an ActiveX control can load and be manipulated by a web page:
- Only allow ActiveX controls to load if they are not in the registry-stored “killbit list
- Only allow loaded ActiveX controls to be manipulated if they have implemented IObjectSafety and therefore “promised they can be safely scripted