Home/ Questions/Q 7415347
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-29T07:17:06+00:00

I have an ActiveX control that basically checks if one of our company software

  • 0

I have an ActiveX control that basically checks if one of our company software is installed, and if not installs it.
(For reasons my boss doesn’t want to just download the exe, he wants the ActiveX control to launch the setup.exe).
Now would it be bad if I passed from the javascript the URL & program name ?

Here’s my idl interface so far:

    //  Primary dispatch interface for CMyAwesomeControl
[ 
    uuid(xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx)  
]
dispinterface _DMyAwesomeControl
{
    properties:
    methods:
        [id(1)] LONG IsProgramInstalled(BSTR programName);
        [id(2)] LONG InstallProgram(BSTR installURL);
};

I am of course worried about injecting anything malicious into those functions, but since javascript is running on the client side it shouldn’t matter right ?
Otherwise I thought I could extract the URL this activeX is running on and make sure it’s always our company’s domain (but again, hard coding it :/).

I’m sorry in advance if this question makes the more security-savvy people out there pull their hair out 😛

EDIT:
Just to add that it would be fine to include the setup.exe + .msi in the resources of the control but that would be a PITA to update.
Otherwise I could include just the setup.exe in the resource and leave the .msi on the server, and store the url in the setup.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    As long as you sign your exe, and check this signature before running it, I don’t see why it would be any different than letting the user download the exe and running it herself.

    But make sure your certificate is valid, so you can actually check this on the user’s machine (i.e. no self-signing).

    • 0