SSL and Code Sign issue

**kenobewan** · Sep 17 '08, 01:16 PM

Originally posted by wrsoundar

Hi Friends

I have a problem in excel data export thru javascript. we create an excel object from javascript. at that time IE shows the warning message "An Activex ontrol on this page might be unsafe to interect with other part of the page. do you want to allow this interection?" shows. Our client dont want to enable the Unsafe manner chk box in security settings

So we tried to sign the excel object using sign tool and make the certificate to pfx and import in to IIS. after that also the same error message is comming. is there any solution ?

Thanks in advance

Remember SSL & security are for your benefit too. AOL's Instant Messaging Command Execution, HTML and JavaScript Injection Vulnerabilities

Here is a reference that may help:
Designing Secure ActiveX Controls

**wrsoundar** · Sep 22 '08, 02:27 PM

Thanks for your reply.

I go thru the ref URL and i signed my excel.exe. but still the warning message is appear in my client side.

I used the following syntax

makecert -r -pe -n "CN=s6072" -b 01/01/2000 -e 01/01/2036 -eku 1.3.6.1.5.5.7.3 .1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -sv key.pvk key.cer

cert2spc key.cer key.spc

signtool signwizard

and then used pvkimport.exe to convert pvk format and add in to IIS SSL Certificate.

Kindly guide me.

Thanks in advance

Soundar

**wrsoundar** · Sep 24 '08, 04:49 AM

As the continous of the the above problem we request microsoft to assist. They replied with some points.

This behavior is by design. Office applications such as Word, PowerPoint, Excel etc. cannot be automated with CreateObject (VBScript) or ActiveXObject (JScript) unless this security setting allows it. Therefore the problem is not specific to Excel or JScript. The reason that Excel object is not safe from a scripting environment is because Excel can potentially writes to the User’s local file system. For example, although Microsoft Excel is a trusted tool from a reputable source, a malicious script can use its automation model to delete files on the user's computer, install macro viruses, and worse.

To solve this problem, we recommend you choose one of the following options:
1) Add the web site to the trusted sites zone.

-OR-

2) Change the following security setting for the Intranet zone to either Prompt or Enable:
"Initialize and script ActiveX Controls Not Marked as Safe"

-OR-

3) Create your own custom ActiveX control using a language like VB6, MFC, or ATL and in this ActiveX control, write code that automates Excel. This ActiveX control will be signed with a digital certificate and will be marked safe for scripting.

The following article provides more details on this solution when automating Word from a web page:
286023 - HOWTO: Use a VB ActiveX Component For Word Automation From Internet
http://support.microso ft.com/default.aspx?sc id=KB;en-us;286023

Ref

Safe Initialization and Scripting for ActiveX Controls
http://msdn.microsoft. com/workshop/components/activex/safety.asp

Now the customer is agreed with the microsoft solution :-)

Thanks a lot

Soundar

SSL and Code Sign issue

SSL and Code Sign issue

Comment

Comment

Comment