SSL and Code Sign issue

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • wrsoundar
    New Member
    • Jan 2008
    • 5

    SSL and Code Sign issue

    Hi Friends

    I have a problem in excel data export thru javascript. we create an excel object from javascript. at that time IE shows the warning message "An Activex ontrol on this page might be unsafe to interect with other part of the page. do you want to allow this interection?" shows. Our client dont want to enable the Unsafe manner chk box in security settings

    So we tried to sign the excel object using sign tool and make the certificate to pfx and import in to IIS. after that also the same error message is comming. is there any solution ?

    Thanks in advance
  • kenobewan
    Recognized Expert Specialist
    • Dec 2006
    • 4871

    #2
    Originally posted by wrsoundar
    Hi Friends

    I have a problem in excel data export thru javascript. we create an excel object from javascript. at that time IE shows the warning message "An Activex ontrol on this page might be unsafe to interect with other part of the page. do you want to allow this interection?" shows. Our client dont want to enable the Unsafe manner chk box in security settings

    So we tried to sign the excel object using sign tool and make the certificate to pfx and import in to IIS. after that also the same error message is comming. is there any solution ?

    Thanks in advance
    Remember SSL & security are for your benefit too. AOL's Instant Messaging Command Execution, HTML and JavaScript Injection Vulnerabilities

    Here is a reference that may help:
    Designing Secure ActiveX Controls

    Comment

    • wrsoundar
      New Member
      • Jan 2008
      • 5

      #3
      Thanks for your reply.

      I go thru the ref URL and i signed my excel.exe. but still the warning message is appear in my client side.

      I used the following syntax

      makecert -r -pe -n "CN=s6072" -b 01/01/2000 -e 01/01/2036 -eku 1.3.6.1.5.5.7.3 .1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -sv key.pvk key.cer

      cert2spc key.cer key.spc

      signtool signwizard

      and then used pvkimport.exe to convert pvk format and add in to IIS SSL Certificate.

      Kindly guide me.

      Thanks in advance

      Soundar

      Comment

      • wrsoundar
        New Member
        • Jan 2008
        • 5

        #4
        As the continous of the the above problem we request microsoft to assist. They replied with some points.

        This behavior is by design. Office applications such as Word, PowerPoint, Excel etc. cannot be automated with CreateObject (VBScript) or ActiveXObject (JScript) unless this security setting allows it. Therefore the problem is not specific to Excel or JScript. The reason that Excel object is not safe from a scripting environment is because Excel can potentially writes to the User’s local file system. For example, although Microsoft Excel is a trusted tool from a reputable source, a malicious script can use its automation model to delete files on the user's computer, install macro viruses, and worse.

        To solve this problem, we recommend you choose one of the following options:
        1) Add the web site to the trusted sites zone.

        -OR-

        2) Change the following security setting for the Intranet zone to either Prompt or Enable:
        "Initialize and script ActiveX Controls Not Marked as Safe"

        -OR-

        3) Create your own custom ActiveX control using a language like VB6, MFC, or ATL and in this ActiveX control, write code that automates Excel. This ActiveX control will be signed with a digital certificate and will be marked safe for scripting.


        The following article provides more details on this solution when automating Word from a web page:
        286023 - HOWTO: Use a VB ActiveX Component For Word Automation From Internet
        http://support.microso ft.com/default.aspx?sc id=KB;en-us;286023

        Ref

        Safe Initialization and Scripting for ActiveX Controls
        http://msdn.microsoft. com/workshop/components/activex/safety.asp


        Now the customer is agreed with the microsoft solution :-)

        Thanks a lot

        Soundar

        Comment

        Working...