Question: Is it possible to construct a web page that has a script to turn off XML data-binding in MSIE? The ideal approach would be to code an HTML page and instruct all people in the office to visit the page with a button that says "turn off data-binding".
问题:是否可以构建一个具有脚本的网页来关闭MSIE中的XML数据绑定?理想的方法是编写HTML页面并指示办公室中的所有人使用“关闭数据绑定”按钮访问该页面。
Rationale: The desktop sysadmin is not available at this time and the goal is to create a brain-dead simple way to let people turn this feature off without having to walk them through a bunch of MSIE configuration menus.
基本原理:目前桌面系统管理员不可用,其目标是创建一种简单易懂的方法,让人们关闭此功能,而无需通过一堆MSIE配置菜单。
1 个解决方案
#1
1
I'm assuming you're talking about Microsoft Security Advisory (961051).
我假设你在谈论微软安全咨询(961051)。
If you could disable XML data-binding using client-side script, then someone could enable it with client-side script and expose the vulnerability again. So that isn't possible.
如果您可以使用客户端脚本禁用XML数据绑定,则有人可以使用客户端脚本启用它并再次暴露漏洞。所以这是不可能的。
However, if everyone is running the same version of Windows and the same bitness flavor, then just send them to a page where they can copy and paste this into Start > Run:
但是,如果每个人都运行相同版本的Windows并具有相同的比特味,那么只需将它们发送到一个页面,然后将其复制并粘贴到“开始”>“运行”:
Regsvr32.exe /u "Program Files\Common Files\System\Ole DB\oledb32.dll"
Regsvr32.exe / u“Program Files \ Common Files \ System \ Ole DB \ oledb32.dll”
Note that this will protect against current attacks but to comprehensively protect against the vulnerability they recommend applying another workaround. More on that here.
请注意,这可以防止当前的攻击,但要全面防范他们建议应用其他解决方法的漏洞。更多关于这一点。
And encouraging your employees to go to a website in an E-mail and run something they've been told to run is probably a bad idea as it opens them up to various phishing attacks since most people won't be able to distinguish between an E-mail from their own company IT department and an E-mail sent by a malicious person.
并鼓励您的员工通过电子邮件访问网站并运行他们被告知要运行的内容可能是一个坏主意,因为它会导致各种网络钓鱼攻击,因为大多数人无法区分来自他们自己公司IT部门的电子邮件和恶意人员发送的电子邮件。
More about the available workarounds here.
有关可用的变通方法的更多信息。
In the end, the best practice would be to push out one of the workarounds as described in the above KB article.
最后,最佳做法是推出上述知识库文章中描述的解决方法之一。
#1
1
I'm assuming you're talking about Microsoft Security Advisory (961051).
我假设你在谈论微软安全咨询(961051)。
If you could disable XML data-binding using client-side script, then someone could enable it with client-side script and expose the vulnerability again. So that isn't possible.
如果您可以使用客户端脚本禁用XML数据绑定,则有人可以使用客户端脚本启用它并再次暴露漏洞。所以这是不可能的。
However, if everyone is running the same version of Windows and the same bitness flavor, then just send them to a page where they can copy and paste this into Start > Run:
但是,如果每个人都运行相同版本的Windows并具有相同的比特味,那么只需将它们发送到一个页面,然后将其复制并粘贴到“开始”>“运行”:
Regsvr32.exe /u "Program Files\Common Files\System\Ole DB\oledb32.dll"
Regsvr32.exe / u“Program Files \ Common Files \ System \ Ole DB \ oledb32.dll”
Note that this will protect against current attacks but to comprehensively protect against the vulnerability they recommend applying another workaround. More on that here.
请注意,这可以防止当前的攻击,但要全面防范他们建议应用其他解决方法的漏洞。更多关于这一点。
And encouraging your employees to go to a website in an E-mail and run something they've been told to run is probably a bad idea as it opens them up to various phishing attacks since most people won't be able to distinguish between an E-mail from their own company IT department and an E-mail sent by a malicious person.
并鼓励您的员工通过电子邮件访问网站并运行他们被告知要运行的内容可能是一个坏主意,因为它会导致各种网络钓鱼攻击,因为大多数人无法区分来自他们自己公司IT部门的电子邮件和恶意人员发送的电子邮件。
More about the available workarounds here.
有关可用的变通方法的更多信息。
In the end, the best practice would be to push out one of the workarounds as described in the above KB article.
最后,最佳做法是推出上述知识库文章中描述的解决方法之一。