Security Considerations: Element Behaviors

  • Article

This topic provides information about security considerations related to element behaviors. This document doesn't provide all you need to know about security issues—instead, use it as a starting point and reference for this technology area.

A Binary Element Behavior (or binary behavior) is a Component Object Model (COM) object loaded by a Web page and assigned to an element type in the page—either a custom element tag or an existing HTML tag. The COM object is then able to customize the behavior of the tag by implementing the IElementBehavior interface. Customizations include any options available to scripted behaviors and more advanced behaviors such as Windows Graphics Device Interface (GDI) rendering. For more information on creating binary element behaviors, see Binary Behaviors Overviews and Tutorials.

Because a binary behavior is a COM object, a binary behavior can execute any code after loading. For that reason, the security profile of a binary behavior is very similar to that of a Microsoft ActiveX control, and the same security considerations apply. Binary behaviors, like ActiveX controls, run with the security credentials of the user running the browser process. This means a binary behavior cannot only render to the screen, it can also potentially access local files, configuration settings, or network resources. Accessing a page that loads a malicious binary behavior presents a considerable security risk.

Windows Internet Explorer in Windows XP Service Pack 2 (SP2) offers three major techniques for restricting binary behaviors, as follows:

  1. Processes listed in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BEHAVIORS registry key do not load binary behaviors on Web pages in the Restricted zone by default. Other processes can be added or removed from this list via administrative group policy or by setting the registry key manually. For more information, see Internet Explorer Maintenance Policy.

  2. Binary behaviors can be specifically allowed or forbidden to run based on the zone of the Web page loading the binary behavior. This is done via administrative group policy, setting registry keys manually, or enabling behaviors programmatically using the CoInternetSetFeatureEnabled and IInternetZoneManager::SetZoneActionPolicy functions. For example, a process hosting the WebBrowser Control can disallow binary behaviors in both the Restricted Sites zone and the Local Machine zone while allowing it in other zones. For more information about the CoInternetSetFeatureEnabled function, see Introduction to Feature Controls.

  3. Binary behaviors can be specifically allowed or forbidden to run based on the combination of namespace and behavior name. Specific behaviors can be added to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\AllowedBehaviors registry key. For example, adding a #default#VML# DWORD key with a value of 0 disables the built-in Vector Markup Language (VML) binary behavior.

By default in Windows XP SP2, binary behaviors are enabled in Internet Explorer for pages in any zone except the Restricted Sites zone.

Disabling Binary Behaviors using the CoSetFeatureEnabled and SetZoneActionPolicy functions

Using the CoInternetSetFeatureEnabled function in conjunction with the IInternetZoneManager::SetZoneActionPolicy function, developers can disable binary behaviors in a given zone. When the Binary Behaviors Feature Control is turned on, Internet Explorer decides whether to load binary behaviors based on the URL Policy setting for the URLACTION_BEHAVIOR_RUN URL Action Flags. Developers can use the CoInternetSetFeatureEnabled function to turn on the feature control, and the IInternetZoneManager::SetZoneActionPolicy function to set the URL Policy for binary behaviors to URLPOLICY_DISALLOW. This prevents binary behaviors from loading. The following example disables binary behaviors in pages loaded from the Internet zone.

IInternetZoneManager* pZoneManager = NULL;
HRESULT hr = CoInternetCreateZoneManager(NULL, &pZoneManager, NULL);
if (SUCCEEDED(hr))
{
    hr = CoInternetSetFeatureEnabled(FEATURE_BEHAVIORS, SET_FEATURE_ON_THREAD_INTERNET, true);
    if (SUCCEEDED(hr))
    {
        DWORD dwPolicy = URLPOLICY_DISALLOW;
        hr = pZoneManager->SetZoneActionPolicy(URLZONE_INTERNET, URLACTION_BEHAVIOR_RUN, (BYTE*)&dwPolicy, sizeof(dwPolicy), 
            URLZONEREG_DEFAULT);
        if (SUCCEEDED(hr))
            MessageBox("Binary Behaviors are disabled in the Internet zone");
    }
}
if (pZoneManager != NULL) pZoneManager->Release();

Reference

CoInternetSetFeatureEnabled

IInternetZoneManager::SetZoneActionPolicy

Conceptual

Binary Behaviors Overviews and Tutorials

Introduction to Feature Controls

Other Resources

Microsoft Security

MSDN Security Developer Center

TechNet Security Resources

Security Best Practices