Is there a way to disable MSFT IE's XML data binding functionality via a script?
Question: Is it possible to create a webpage with a script to disable XML data binding in MSIE? The ideal approach would be to encode an HTML page and tell everyone in the office to visit the page with a button that says "disable data binding".
Rationale: There is currently no sysadmin available and the goal is to create a simple brain to allow people to disable this feature without having to go through a bunch of MSIE configuration menus.
source to share
I am assuming you are talking about Microsoft Security Advisory (961051) .
If you can disable XML data binding using a client-side script, then someone can enable it from a client-side script and reopen the vulnerability. So this is not possible.
However, if everyone is running the same version of Windows and has the same bitta flavor, just submit them to a page where they can copy and paste it into Start> Run:
Regsvr32.exe /u "Program Files\Common Files\System\Ole DB\oledb32.dll"
Note that this will protect against current attacks, but for a comprehensive protection against the vulnerability they recommend applying to another workaround. More on this here .
And encouraging your employees to go to the website in email and launch something that they were asked to launch is probably a bad idea as it opens them up to various phishing attacks as most people won't be able to distinguish between email and their IT. department of the company and e-mail sent by the attacker.
Learn more about the available workarounds here .
In the end, the best practice would be to supplant one of the workarounds as described in the KB article above.
source to share