Programs that do not respect disabling access to Internet Explorer in XP

[ShadowZERO]

DISCLAIMER = If you do not have experience with emulating Windows software with Wine or Cedega in Linux, or with MMORPG games, this thread may be difficult for you to understand.

Ok, here's my situation. I have been using Firefox as my primary and only internet browser for a long time. Under the "Set Program Access and Defaults" section of Windows XP, I have the "Use my current Web Browser"(which is Firefox) radio button checked, and next to (Microsoft)Internet Explorer, I have unchecked the box that reads "Enable Access to this Program".

Under most circumstances this works as I would expect it to. Almost any program that wants to launch an internet page or use any kind of internet code or script, it will default to opening Firefox.

There are, however, a few types of programs that do not seem to respect that. The specific type of program that will, no matter what, launch and use IE instead of Firefox, are launchers for MMORPG games, such as World of Warcraft, Everquest 2, and RF Online. I'm not positive about the former 2, as i have not played them in quite some time, but I am currently playing RF Online since it became 100% free to download and play.

If you aren't familiar with what these launchers are for or how they work, they are generally used to handle updates to the actual game client without having to enter it. In actuality, it is a separate program. More often than not, these launchers also provide you with news on the game, which is somehow handled by running code from an internet browser within the launcher itself.

The thing that I want to do in XP, is exactly what Wine and Cedega do in Linux. If I install a Windows program under Wine, that would normally, if installed in Windows, force my computer to access Microsoft IE, Wine will download a Mozilla program or plugin that simulates how these launcher programs use MS IE in Windows. Obviously, anyone running Linux wouldn't want anything Microsoft near that OS installation in the first place, but I digress.

What I want, Is for these launcher programs to respect that I want nothing, and I mean nothing, to access any type of MS Internet Explorer code on my installation of Windows XP. Before I used Wine and Cedega for Linux, I would not have believed this to be possible. But they do exactly what I want done in my Windows XP installation, which is, install a Mozilla program or plugin that causes these game launchers not to use ActiveX script or any type of code from the Microsoft IE program.

/rant on
If I had it my way, I would manually hack my XP installation and tear out every piece of code related to Microsoft Internet Explorer. However, it would probably be more trouble than it was worth, and not to mention the damage I could cause would outweigh the peace of mind I would gain knowing that that software was no longer present in my OS.
/rant off

Any help would be greatly appreciated.

 

[mechBgon]

Depending on your version of Windows, you may be able to use the "Don't run specified Windows applications" setting in GPEdit.msc, if your version of Windows has it. That setting is found in... lesse here... in this area :camera: If you don't have gpedit.msc, you can try renaming your Internet Explorer executable 🙂

Regarding ActiveX, you can force-disable ActiveX in IE's Internet Options > Security > zones panels if that's what you want, and/or install IE7 which has ActiveX opt-in for improved security against IE being used to run ActiveX stuffs that don't belong in IE. I'd recommend getting IE7 for that reason, even if you never plan to use it yourself.

(in the bigger picture, no, I don't know of a program that would intervene in the exact fashion you want)

 

[ShadowZERO]

Depending on your version of Windows, you may be able to use the "Don't run specified Windows applications" setting in GPEdit.msc, if your version of Windows has it.

Hmm... can you be more specific? Which version would have it? I ran a search on my installation drive and no results were returned for that file. I run a fully updated copy of XP Home SP2. If I had to take a guess, this would only be found in XP Pro. Can you confirm?

Regarding ActiveX, you can force-disable ActiveX in IE's Internet Options > Security > zones panels if that's what you want, and/or install IE7 which has ActiveX opt-in for improved security against IE being used to run ActiveX stuffs that don't belong in IE. I'd recommend getting IE7 for that reason, even if you never plan to use it yourself.

I've done exactly that. For fear of security vulnerabilities, I keep my installation fully up to date, including Windows components I'm not going to use such as IE. Now, after manually disabling ActiveX, the launcher program, rather than showing what its supposed to, gives me several ActiveX errors.

Unfortunately, I don't have access to an installation of Linux at the moment. If I did, I would probably be able to figure out the exact name of the Mozilla plugin that does what I want in the Windows environment emulators such as Wine. I'd then google that, and see if there is an equivalent for Windows. I was hoping I'd get lucky and one of the Linux gurus would see my post and be able to tell me offhand if or not this is the case.

Well, thanks much for the reply. Questions this specific and technical often don't get responses at all on some forums. I've only made a few posts here on Anand, and its nice to see people with some good technical knowledge willing to offer help.

Cheers.

UPDATE EDIT: I did a bit of googling, and I think the name of the Mozilla plugin I am looking for is called Gecko. However, I was not able to find any information on how to force Windows programs to use that instead of defaulting to using IE and ActiveX. Moreover, I am starting to think that while Gecko could replace access to standard Internet Explorer code and script, it would not be able to do the same for ActiveX, since that technology is as proprietary as Microsoft software can get. I also get the feeling that unlike some of the other game launchers that I have used, the RF Online launcher is the only one that actually uses ActiveX code/script in the launcher itself, rather than just standard Internet Explorer code.

To sum it up, I believe I will have to accept defeat on this issue. The real solution to the problem would be for the developers of that game and its launcher to remove reliance on ActiveX script/code, although I'm sure any pleas for such would fall on deaf ears.

/rant on
It is sad that this is the sorry state of software we are in, that reliance on proprietary technologies is the default choice for some software developers. Possibly it's just easier for them to code, or maybe its just because its easier for them to assume that no one cares. Software developers need to realize that this kind of proprietary technology is obsolete, not because the technology isn't up to date or full-featured, but because it offers the user absolutely no choice. Its my computer, and if there's other technology thats just as good or better, shouldn't I be able to choose what I use? Apparently not.
/rant off

 

[mechBgon]

Correct, gpedit.msc is not available on XP Home. Yes, I think the game developers are going to have to be part of your solution. If you are concerned about security, I can remark from firsthand knowledge that you should also uninstall Sun Java, because the bad guys will be perfectly happy to use that to infect your computer too. As well as many other things. https://psi.secunia.com <--- a recommended checkup tool, even if you don't leave it installed all the time.

 

[ShadowZERO]

If you are concerned about security, I can remark from firsthand knowledge that you should also uninstall Sun Java, because the bad guys will be perfectly happy to use that to infect your computer too.

Thanks for the heads up on that. However, my biggest problem with uninstalling SUN Java, is I play a text-based MUD (which, if your not familiar, is basically an MMORPG with a text interface instead of a GUI, they've been around since the 80s), and the client for that game is completely Java based. I'm also pretty sure other websites I frequently visit require some type of Javascript as well.

My preferred Linux distribution, Kubuntu (which is exactly the same as Ubuntu except with the KDE interface installed by default instead of the GNOME interface) comes with some type of Java software as part of the restricted extras, making it only 1 simple console command away from a fresh installation. I'm not sure about this, but seeing as how almost everything in Linux is open-source, I would suspect they might not use the official Java by SUN Microsystems.

Do you have an ideas about a fully functional alternative to the official SUN Java, or would any Java, from a security standpoint, be just as insecure? I'm not overly concerned or paranoid about security, so I'm not willing to sacrifice features that I need or might need just to have absolute maximum security. The only reason for me worrying about security in relation to MS IE and ActiveX, is since they are a part of Windows, keeping my Windows OS up to date means doing the same for them.

 

[mechBgon]

I'm not aware of any great alternatives, except for something that you as a *nix guy would already be aware of: not running apps as root unless they absolutely NEED that privilege level. mech's propaganda for using non-root user accounts on Windows

While this doesn't stop exploits from happening, it puts very strong limitations on what they can actually succeed at.

Oh, and

I'm also pretty sure other websites I frequently visit require some type of Javascript as well.

Java and Javascript aren't the same thing. Without Java, your browser can still use Javascript. Speaking of which, you can disable Java in your browser (on FireFox, I believe it's in the first tab in the Options panel), and the NoScript extension for FireFox is known to be a good way to restrict Java and/or Javascript to just the sites you whitelist, reducing your chances of a malicious attack by those vectors. You can do likewise in IE7 by using the different Zones in Internet Options > Security if you like (setting the Trusted Zone to Medium-High, then using that as your whitelist while disabling active scripting and Java applets in the Internet Zone).

 

[ShadowZERO]

Sometimes I get ahead of myself during forum discussion and ask questions that I could find good answers to by doing my own research. A quick Google and I was able to come up with this: Viva - Open Source Java - A 100% free, clean room implementation of the core Java class libraries to offer a free alternative to Sun's proprietary libraries...

I have no idea how functional it is, as I just found the page, but this is certainly the direction I was looking to go. I'll look into it a little more when I have more free time.

Edit: You seem to have better technical knowledge of how this stuff works than I do, and if you have a chance, let me know what you think of Viva.

 

[mechBgon]

It would be interesting to see if the usual Java-driven attacks work with the alternative Java. If I get a chance to try that out tonight or tomorrow, I'll post with an update 🙂

 

[ShadowZERO]

Originally posted by: mechBgon
It would be interesting to see if the usual Java-driven attacks work with the alternative Java. If I get a chance to try that out tonight or tomorrow, I'll post with an update 🙂

Cool, thanks, I really do appreciate it.

One thing I'd like to add to this thread, is that security is one of my smallest concerns. I am more interested in finding open-source or 100% free alternatives to proprietary software.

I have been using Windows XP for what must be 5 years or more. I have never had a real virus, and any type of malware, grayware, adware or spyware that i've encountered has been easily removed by free online services (that are, coincidentally, usually powered by Java). I've also never had my system hacked, unless it was a very small hack that I was never even able to notice. On top of all that, I have never installed or used any type of security software that requires running constantly in the background(with the possible exception of the built-in Windows firewall), although I do periodically run free online virus and malware scans(as mentioned above) just to be 100% sure.

I would like to consider myself a pretty advanced user, and I attribute the security of my system to reasons such as the fact that I am the only one who uses it, and my "instinct", if you will, of anything that looks or seems suspicious. I seem to have an intuition of sorts; I know what sites not to visit at all, what links not to click, what applets not to run, and am able to avoid what might lead to accidentally running any type potentially malicious executable code. Even if only in this respect alone, I consider myself far more advanced than the average user.

 

[mechBgon]

Realize that the bad guys recently hacked hundreds of thousands of sites, many of which were probably normally safe, installing automatic MPACK exploit IFRAMEs on them. Result: victims come to a normally-safe website such as this one, and get attacked. From watching Microsoft Network Monitor while a system gets hit by these attacks, I can tell you that there won't be time to react. Nine-pronged attack launched in <1 second on a fast connection. Down you go. This is part of their business model now.

I can also remark that some of the malware I've found recently will defy after-the-fact scans by antivirus software (even if the antivirus has definitions which technically detect the malware) and by rootkit scanners. There goes the usual "haha, I got a clean scan at ____ online scanner, I am therefore uninfected" argument I hear frequently around here. Prevention, prevention, prevention is the name of the game now IMHO. The bad guys are financially-motivated (one report states that the malware trade is now bigger than the illegal-drugs trade worldwide) and they are industrious and skilled.

So my top suggestions for Windows users are to avoid risk, yes, and eliminate known vulnerabilities, yes, and use antivirus software too, but also try to break their addiction to a root/su account, so the risks that remain can be contained and prevented from gaining full control of the computer.

 

[MrChad]

Originally posted by: ShadowZERO
<UPDATE EDIT: I did a bit of googling, and I think the name of the Mozilla plugin I am looking for is called Gecko. However, I was not able to find any information on how to force Windows programs to use that instead of defaulting to using IE and ActiveX. Moreover, I am starting to think that while Gecko could replace access to standard Internet Explorer code and script, it would not be able to do the same for ActiveX, since that technology is as proprietary as Microsoft software can get. I also get the feeling that unlike some of the other game launchers that I have used, the RF Online launcher is the only one that actually uses ActiveX code/script in the launcher itself, rather than just standard Internet Explorer code.

Gecko is simply the layout engine that drives a number of web browsers, including Firefox, Camino, Netscape and probably some others. It is something you could theoretically incorporate into your own programs to add HTML rendering, but it's not something that replaces IE.

To sum it up, I believe I will have to accept defeat on this issue. The real solution to the problem would be for the developers of that game and its launcher to remove reliance on ActiveX script/code, although I'm sure any pleas for such would fall on deaf ears.

Honestly, what's wrong with using ActiveX controls for Windows-only games? ActiveX controls are simply plugins for Internet Explorer. There were a good deal of issues with earlier versions of IE and ActiveX controls, simply because the controls were not sandboxed well and could access key system files. This security risk has been mitigated by improvements in both IE 6 SP2 and IE 7, and the risk is further reduced by running under a limited user account. As long as you only run signed controls from trusted sources, your risk should be fairly limited.

/rant on
It is sad that this is the sorry state of software we are in, that reliance on proprietary technologies is the default choice for some software developers. Possibly it's just easier for them to code, or maybe its just because its easier for them to assume that no one cares. Software developers need to realize that this kind of proprietary technology is obsolete, not because the technology isn't up to date or full-featured, but because it offers the user absolutely no choice. Its my computer, and if there's other technology thats just as good or better, shouldn't I be able to choose what I use? Apparently not.
/rant off

If you want to avoid proprietary technologies, avoid games that are only developed for the Windows platform. Cross-platform games are much more likely to employ subsystems and APIs that work on a variety of operating systems.

 

[ShadowZERO]

Originally posted by: mechBgon
Realize that the bad guys recently hacked hundreds of thousands of sites, many of which were probably normally safe, installing automatic MPACK exploit IFRAMEs on them. Result: victims come to a normally-safe website such as this one, and get attacked. From watching Microsoft Network Monitor while a system gets hit by these attacks, I can tell you that there won't be time to react. Nine-pronged attack launched in <1 second on a fast connection. Down you go. This is part of their business model now.

I can also remark that some of the malware I've found recently will defy after-the-fact scans by antivirus software (even if the antivirus has definitions which technically detect the malware) and by rootkit scanners. There goes the usual "haha, I got a clean scan at ____ online scanner, I am therefore uninfected" argument I hear frequently around here. Prevention, prevention, prevention is the name of the game now IMHO. The bad guys are financially-motivated (one report states that the malware trade is now bigger than the illegal-drugs trade worldwide) and they are industrious and skilled.

So my top suggestions for Windows users are to avoid risk, yes, and eliminate known vulnerabilities, yes, and use antivirus software too, but also try to break their addiction to a root/su account, so the risks that remain can be contained and prevented from gaining full control of the computer.

Although this post is straying off topic quite a bit, I would like to ask you to consider an observation I have made by your posts.

You seem to be quite passionate about computer security. I really do respect that, because, as I'm sure you have noticed by my posts, I am also passionate, but about a different subject: The adoption of open-source and freeware standards to replace proprietary standards.

So although we share a passion about computers, what I want you to consider is the fact that passion and bias go hand in hand. My rant sections of my posts are extremely biased, and you seem to be a biased in a similar fashion about computer security.

I cannot stress enough how much respect I have for people like you, who make it their own business, spending their time and effort, to learn how to protect the masses that can't, won't or don't have the time or knowledge to help themselves in the same manner.

My point I'm trying to make is that my interest in what I am passionate about is just as important to me as your interest in what you seem to be passionate about to you. Therefore, I am simply asking you to step outside your own bias to look at my issue from my perspective, rather than yours. I constantly strive in my life to do just the same, seeing the issue at hand from the others perspective rather than my own.

I really hope that there is no offense taken by this observation I've made, because really, we share a very common mentality, and I believe that is part of where respect comes from.

I also would like to add that I do appreciate every last bit of information you have provided in this thread, as I constantly strive to better myself by not only improving my knowledge on subjects that I'm lacking in, but by understanding the perspective of others and what makes them passionate about those subjects in the first place.

This post is almost like a blurb on philosophy more than it is relevant to this actual thread topic, but I hope it will add to us being able to communicate and understand each other, especially considering you are seemingly the person with more technical know-how. Please understand that I have never ran into any type of security problem with my system, so unfortunately I am unable to relate to your passion in terms of experience.

As ignorant and naive as it may sound, until I do get hit by a major security issue, I am not willing to make many changes to my computer use to improve it, and thats what I'm trying to point out. The time and effort it might take to maximize security as you would have done simply would not be worth it to someone like me. In life, people rarely make major changes to the way they do things based on the insight and knowledge given by others, but rather, it is their own personal experience that drives people to change.

After I typed this out, I really considered just closing the window and forgetting about posting it entirely. But I guess I got the urge to express myself, and here it is, hopefully for better rather than worse. And of course, feel free to take this post with a grain of salt, or ignore it entirely. I just had a moment of self expression and I happened to have hit the reply button before it passed 😉

 

[ShadowZERO]

Originally posted by: MrChad
If you want to avoid proprietary technologies, avoid games that are only developed for the Windows platform. Cross-platform games are much more likely to employ subsystems and APIs that work on a variety of operating systems.

Your missing the point. I'm going to be playing RF Online for a number of reasons, thats not the argument.

Lets try an analogy. In medical terms, you can cure any disease simply by killing the patient. But thats not a solution now is it? Lets say RF Online is the "patient" and ActiveX is the "disease" we are trying to remove, or cure. Not playing RF Online would be like giving up on life, and uninstalling it equivalent to killing the patient. If I can't cure the disease, then I'm going to learn to live with it as best I can, until a "cure"(or solution) is found.

 

[mechBgon]

Originally posted by: ShadowZERO

Originally posted by: mechBgon
Realize that the bad guys recently hacked hundreds of thousands of sites, many of which were probably normally safe, installing automatic MPACK exploit IFRAMEs on them. Result: victims come to a normally-safe website such as this one, and get attacked. From watching Microsoft Network Monitor while a system gets hit by these attacks, I can tell you that there won't be time to react. Nine-pronged attack launched in <1 second on a fast connection. Down you go. This is part of their business model now.

I can also remark that some of the malware I've found recently will defy after-the-fact scans by antivirus software (even if the antivirus has definitions which technically detect the malware) and by rootkit scanners. There goes the usual "haha, I got a clean scan at ____ online scanner, I am therefore uninfected" argument I hear frequently around here. Prevention, prevention, prevention is the name of the game now IMHO. The bad guys are financially-motivated (one report states that the malware trade is now bigger than the illegal-drugs trade worldwide) and they are industrious and skilled.

So my top suggestions for Windows users are to avoid risk, yes, and eliminate known vulnerabilities, yes, and use antivirus software too, but also try to break their addiction to a root/su account, so the risks that remain can be contained and prevented from gaining full control of the computer.

Although this post is straying off topic quite a bit, I would like to ask you to consider an observation I have made by your posts.

You seem to be quite passionate about computer security. I really do respect that, because, as I'm sure you have noticed by my posts, I am also passionate, but about a different subject: The adoption of open-source and freeware standards to replace proprietary standards.

So although we share a passion about computers, what I want you to consider is the fact that passion and bias go hand in hand. My rant sections of my posts are extremely biased, and you seem to be a biased in a similar fashion about computer security.

I cannot stress enough how much respect I have for people like you, who make it their own business, spending their time and effort, to learn how to protect the masses that can't, won't or don't have the time or knowledge to help themselves in the same manner.

My point I'm trying to make is that my interest in what I am passionate about is just as important to me as your interest in what you seem to be passionate about to you. Therefore, I am simply asking you to step outside your own bias to look at my issue from my perspective, rather than yours. I constantly strive in my life to do just the same, seeing the issue at hand from the others perspective rather than my own.

I really hope that there is no offense taken by this observation I've made, because really, we share a very common mentality, and I believe that is part of where respect comes from.

I also would like to add that I do appreciate every last bit of information you have provided in this thread, as I constantly strive to better myself by not only improving my knowledge on subjects that I'm lacking in, but by understanding the perspective of others and what makes them passionate about those subjects in the first place.

This post is almost like a blurb on philosophy more than it is relevant to this actual thread topic, but I hope it will add to us being able to communicate and understand each other, especially considering you are seemingly the person with more technical know-how. Please understand that I have never ran into any type of security problem with my system, so unfortunately I am unable to relate to your passion in terms of experience.

As ignorant and naive as it may sound, until I do get hit by a major security issue, I am not willing to make many changes to my computer use to improve it, and thats what I'm trying to point out. The time and effort it might take to maximize security as you would have done simply would not be worth it to someone like me. In life, people rarely make major changes to the way they do things based on the insight and knowledge given by others, but rather, it is their own personal experience that drives people to change.

After I typed this out, I really considered just closing the window and forgetting about posting it entirely. But I guess I got the urge to express myself, and here it is, hopefully for better rather than worse. And of course, feel free to take this post with a grain of salt, or ignore it entirely. I just had a moment of self expression and I happened to have hit the reply button before it passed 😉

No offense taken. I understood that your goal is ideologically driven.

 

[MrChad]

Originally posted by: ShadowZERO

Originally posted by: MrChad
If you want to avoid proprietary technologies, avoid games that are only developed for the Windows platform. Cross-platform games are much more likely to employ subsystems and APIs that work on a variety of operating systems.

Your missing the point. I'm going to be playing RF Online for a number of reasons, thats not the argument.

Lets try an analogy. In medical terms, you can cure any disease simply by killing the patient. But thats not a solution now is it? Lets say RF Online is the "patient" and ActiveX is the "disease" we are trying to remove, or cure. Not playing RF Online would be like giving up on life, and uninstalling it equivalent to killing the patient. If I can't cure the disease, then I'm going to learn to live with it as best I can, until a "cure"(or solution) is found.

If your main objection to ActiveX is that it's proprietary and closed-source, why do you have no issue using a closed-source platform such as Windows to play closed-source, single-platform games? I can certainly respect a passion for open-source adoption, but if you are truly dedicated to that cause, you need to ditch Windows and stop supporting companies that sell closed-source wares.