Microsoft KB Archive/909738

= A Web page that contains a custom ActiveX control may not load as expected in Internet Explorer due to defense in depth changes introduced in cumulative security update 896688 (MS05-052) =

Article ID: 909738

Article Last Modified on 10/11/2007

-

APPLIES TO

 Microsoft Internet Explorer 6.0 Service Pack 1, when used with:  Microsoft Windows XP Service Pack 1

 Microsoft Windows 2000 Service Pack 4

 Microsoft Windows 2000 Professional Edition

 Microsoft Windows 2000 Datacenter Server</li></ul>

 Microsoft Windows 2000 Advanced Server</li></ul>

 Microsoft Windows Millennium Edition</li></ul>

 Microsoft Windows 98 Second Edition</li></ul> </li> Microsoft Internet Explorer 6.0</li> Microsoft Internet Explorer 6.0, when used with:  Microsoft Windows Server 2003, Standard Edition (32-bit x86)</li></ul>

 Microsoft Windows Server 2003, Enterprise Edition</li></ul>

 Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)</li></ul>

 Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems</li></ul>

<ul> <li>Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems</li></ul>

<ul> <li>Microsoft Windows Server 2003, Standard x64 Edition</li></ul>

<ul> <li>Microsoft Windows Server 2003, Enterprise x64 Edition</li></ul>

<ul> <li>Microsoft Windows Server 2003, Datacenter x64 Edition</li></ul>

<ul> <li>Microsoft Windows XP Service Pack 2</li></ul>

<ul> <li>Microsoft Windows XP Professional x64 Edition</li></ul> </li> <li>Microsoft Internet Explorer 5.5, when used with: <ul> <li>Microsoft Windows Millennium Edition</li></ul> </li> <li>Microsoft Internet Explorer 5.01 Service Pack 4, when used with: <ul> <li>Microsoft Windows 2000 Service Pack 4</li></ul>

<ul> <li>Microsoft Windows 2000 Professional Edition</li></ul>

<ul> <li>Microsoft Windows 2000 Datacenter Server</li></ul>

<ul> <li>Microsoft Windows 2000 Advanced Server</li></ul> </li></ul>

-

<div class="notice_section">

<div class="notice_section">

Important This article contains information that shows you how to help lower security settings or how to turn off security features on a computer. You can make these changes to work around a specific problem. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this workaround in your particular environment. If you implement this workaround, take any appropriate additional steps to help protect your system.

<div class="notice_section">

Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry

<div class="symptoms_section">

SYMPTOMS
After you install cumulative security update 896688 (MS05-052), a Web page that contains a custom Microsoft ActiveX control does not load as expected in the products that are listed in the &quot;Applies To&quot; section.

This issue occurs when the Web page that contains the ActiveX control is located in the Internet zone. If the Web page is in the intranet zone or is a Trusted site, the ActiveX control loads as expected.

<div class="cause_section">

CAUSE
Security update MS05-052 introduces additional checks before a Microsoft Component Object Model (COM) object can run in Microsoft Internet Explorer. The intent of this change is to prevent COM objects that were not designed to be instantiated in Internet Explorer from being instantiated in Internet Explorer. One of the checks that is introduced with MS05-052 is that Internet Explorer now checks for the IObjectSafety interface for ActiveX controls in the Internet zone before a COM object can run in Internet Explorer.

<div class="resolution_section">

RESOLUTION
To resolve this issue, recompile the ActiveX control. Then, mark the control as safe for scripting and safe for initialization when the control is run in the context of an Internet browser.

For more information about how Internet Explorer determines whether an ActiveX control is safe for scripting and safe for initialization, click the following article number to view the article in the Microsoft Knowledge Base:

216434 How Internet Explorer determines if ActiveX controls are safe

For more information about how to mark an MFC ActiveX control as safe for scripting and initialization, click the following article number to view the article in the Microsoft Knowledge Base:

161873 How to mark MFC ActiveX controls as Safe for Scripting and Initialization

<div class="workaround_section">

WORKAROUND
Warning This workaround may make your computer or your network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk.

Warning If you edit the metabase incorrectly, you can cause serious problems that may require you to reinstall any product that uses the metabase. Microsoft cannot guarantee that problems that result if you incorrectly edit the metabase can be solved. Edit the metabase at your own risk.

Note Always back up the metabase before you edit it.

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

To work around this issue, use one of the following methods:

Set the safe for scripting and safe for initialization value in the registry
If you cannot recompile the ActiveX control, but the control developer classifies the ActiveX control as safe for scripting and safe for initialization, you can use one of the following registry values to mark the ActiveX control as safe for scripting and safe for initialization:
 * {7DD95801-9882-11CF-9FA9-00AA006C42C4}
 * {7DD95802-9882-11CF-9FA9-00AA006C42C4}

For example, if the CLSID for the ActiveX control is {A697E83F-3B53-11D1-8AE4-006097ED2008}, you can add one of the following registry values to mark the ActiveX control as safe for scripting and safe for initialization:

Move the Web site to a different zone
If the Web site can be trusted, you can move the Web site to a more trusted zone. For more information about how to add a Web site to a security zone, visit the following Microsoft Web site:

http://www.microsoft.com/windows/ie/ie6/using/howto/security/settings.mspx

Set the ActiveX compatibility value in the registry
You can set the ActiveX compatibility flag in the registry. To do this, follow these steps: <ol> <li>Click Start, click Run, type Regedit.exe, and then click OK.</li> <li>Locate the following registry subkey:

</li> <li>Right-click ActiveX Compatibility, point to New, click Key, type the CLSID for the ActiveX control, and then press ENTER.</li> <li>Right-click the key that you created in step 3, point to New, and then click DWORD Value.</li> <li>Type Compatibility Flags, and then press ENTER.</li> <li>Right-click Compatibility Flags, and then click Modify.</li> <li>In the Value data box, type 00800000, and then click OK.</li> <li>Quit Registry Editor.</li></ol>

<div class="references_section">