Have you ever been writing an application and needed to retrieve or edit the properties of a Microsoft Office document?  Did the thought of having to write code to perform Word or Excel automation send chills down your spine?  Were you worried that your documents’ precious metadata would forever be trapped behind the taunting shield of the Windows Explorer property window?

So close yet so far.

Fear not, all hope is not lost.  For there is another way to retrieve and edit the details of your Office files without even needing a version of Microsoft Office installed on the PC.  Microsoft has been kind of enough to provide the dsofile.dll, a handy ActiveX component that allows easy manipulation of the file details.  There is even demo code provided for VB6 and VB.Net.

But you may be asking yourself, “How can I get such a mysterious and powerful tool to work?”  Fortunately, dsofile is simple to use, just add it to your project and your ready to go.  Check out the sample code below for an example of how to use dsofile to retrieve information out of our document.

private void ReadOfficeDocumentMetadata(string fileName)
{
   DSOFile.OleDocumentPropertiesClass document = new DSOFile.OleDocumentPropertiesClass();
   document.Open(fileName, false, DSOFile.dsoFileOpenOptions.dsoOptionOpenReadOnlyIfNoWriteAccess);

   //Display document metadata
   txtTitle.Text = document.Properties.Title;
   txtAuthor.Text = document.SummaryProperties.Author;
   txtSubject.Text = document.SummaryProperties.Subject;
   txtCategories.Text = document.SummaryProperties.Category;
   txtComments.Text = document.SummaryProperties.Comments;

   document.Close(false);
}

Wow, it’s just that easy!  Let’s see it in action:

Take a moment and savor the sweet smell of success.

But don’t just take my word for it, try out dsofile.dll yourself.  The download comes with couple of sample applications that are worth checking out and provide a more in depth look at what this tool can do.  ECM Developers at ImageSource have already found uses for this wonderful tool, and so can you.

431

“As with a great many things, ActiveX was a good enough idea that had a highly unpleasant side effect. The ability to integrate third-party applications with the web browser was a pretty neat idea, unfortunately it also opened a Pandora’s box of security issues. Sort of like a weight loss pill that causes you to turn orange and grow a third arm out of your chest.” – Shaun Nichols

Top 10 worst Microsoft products of all time

Scenario…

Accessing Orion NMP from your Web browser, causes the “Install SWToolset.exe” message to be displayed. Even though you install this Add On, it does not show up in the ‘Manage Add Ons’ Internet Explorer 8 (IE consequently resulting in the same “Install SWToolset.exe” prompt being displayed every time you click one of your monitored devices.

Fix…

Internet Explorer 8 on a Windows 7 cause the “Install SWToolset.exe” message to be prompted even though this has already been installed. Another common message is “To utilize the Solarwinds Toolset Integration features, be sure to allw ActiveX controls on your browser.” Open up all security settings for ActiveX Controls (like you stated above)

• Make sure the Orion website is in the Trusted group. This prevents the error message To utilize the Solarwinds Toolset Integration features, be sure to allow ActiveX controls on your browser.”
• Open the browser, and manually download the SWToolset.exe
  • http://<orionserver>/Swtoolset.exe
  • Save this file somewhere (hopefully where all users will have rights)
• Open a command prompt with Administrator Rights (accessories -> right mouse click -> Run as administrator
• Very important: Close all your browsers to the Orion website!
• Navigate to the folder where you saved the SWToolset.exe file
• Run "SWToolset.exe /regserver".
• Open the browser, navigate to Orion, and see if it asks you again about installing the ActiveX (it shouldn’t, you just did it manually).
• If you do not get the message, give something a right click and see if you get the menu.

This will manually install the ActiveX Control. It seems I was not able to get the control install via auto download from the browser.

Source…

There is a very interesting article about South Korea’s internet problem – it is stuck to using Internet Explorer and ActiveX technology. Which means that the people of South Korea do not have choice in using the safer browsers (Firefox, Chrome) or other operating systems (Linux, Apple Mac).

Every citizen, no matter how poor, needs to pay for a license of Windows – unless he/she wants to stay away from using the govt’s websites, bank websites, etc.

It all happened because of a choice the govt made – to develop a non-standard encryption standard called SEED. Adhering to the technology choices of that time, the govt. developed a ActiveX plugin that was made mandatory for any kind of secure access (for example to bank websites, etc.).

The world moved forward – ActiveX as a technology was found to be a significant security risk. However, South Korea remained to be stuck to its old technology. The situation became so bad that the govt. advised its citizens against using Microsoft Vista, because the ActiveX plugin would not work on it.

In the first week of October this year, a patch was added to Mozilla Firefox (by volunteers of Mozilla along with employees of Korea’s govt. agency) that may or may not work in actual practice.

What has this got to do with India ?

We do the exact same thing.

As I have written before, we have a few similar issues:

• the digital certificate registration site is only usable using Internet Explorer (rather than a standardized system accessible to all browsers)
• Income Tax deptt’s site uses a proprietary Java plugin for certificate upload (rather than use free plugins for browsers like Firefox)
• Income Tax deptt’s tax calculation tools are all in Microsoft Excel (which costs Rs 20000), rather than the free OpenOffice format.

We need to get rid of such lock-in immediately – or the aam aadmi will need to shell out a month’s salary to calculate his income tax.

Il 13 ottobre Microsoft ha pubblicato un aggiornamento da record che risolve ben 34 vulnerabilità che riguardano Windows, Internet Explorer, Windows Media Player, Office, Silverlight, Forefront, Developer Tools, Internet Information Services, ActiveX e SQL Server. Otto di queste vulnerabilità sono classificate come critiche: una è una falla in Internet Explorer 8 sotto Windows 7.

L’aggiornamento verrà ricevuto automaticamente dalla maggior parte degli utenti, ed è importante installarlo appena possibile perché alcune delle vulnerabilità turate, per esempio quella del protocollo FTP in Internet Information Services e le quattro di Internet Explorer che richiedono solo di attirare la vittima su una pagina preconfezionata, vengono già sfruttate da alcuni criminali informatici.

Il record precedente per un singolo aggiornamento era di giugno 2009, con 31 vulnerabilità turate nell’ambito degli aggiornamenti che Microsoft da fine 2003 pubblica il secondo martedì di ogni mese.

Fonte: http://attivissimo.blogspot.com

ADO: ActiveX Data Objects

by Jason T. Roff

Een berucht Trojaans paard dat FTP wachtwoorden steelt en besmette machines onderdeel van een botnet maakt, schakelt zichzelf uit als het een bepaalde computernaam of gebruikersnaam ziet. Ook gebruikers van de Comodo Firewall hoeven zich over de Bredolabs Trojan geen zorgen te maken.

Lees meer

Hi,
This post is going to be a test to see if the mere mention of Megan Fox and porn in the same sentence and blog post will cause more hits on the web page.

What we are here to discuss is how to debug an ActiveX control when it is loaded into IE8. Basically you can’t just attach your Visual Studio debugger to the explorer process and set breakpoints; it just doesn’t work. So how do you do it?

There are two ways. Firstly you can have your code open a console window at startup and have all your output directed there. To do this use the following code:
AllocConsole();
freopen ("CONOUT$", "w", stdout );


You can of course wrap those two lines inside an “if debug” or “#ifdef debug” type of call so it only opens up when you want to.

Now if you wanted to set breakpoints etc how do you do it? Well the total hacky way, which is what we are advocating here, is to raise an assertion early in your code and then debug the assertion in VS2005 or VS2008:

assert("Megan Fox would be a great fuck"); // this would be true but actually evaluates false; go figure!

This will cause internet explorer to blowup, and if you place it early in your controls initialisation you can successfully attach your debugger to the process and have full debug capabilities with your control running inside Internet Explorer.

Oh and for those Megan Fox fans, please click this link for you shall enjoy, we promise: http://www.gregfoto.com/portfolio/image.php?album_id=43&album_item_id=727

That is all,

Little Nibbles

http://msdn.microsoft.com/en-gb/ms788206(office.11).aspx

Vergeet Windows, Internet Explorer of QuickTime, cybercriminelen richten zich steeds vaker en exclusief op Adobe software, iets wat zelfs virusexperts verbaast.

Lees meer

Uzun zamandır activeX ile ilgili doğru düzgün bir güvenlik yazılımı görmemiştim. O yüzden bu yazılım gözümde bi kat daha değerli. Bugün security-database’de gezinirken rastladığım bu güzel programı paylaşmak istedim.

Download :

http://sourceforge.net/projects/dranzer/

Usage (Kullanım) :

“dranzer.exe <secenekler>”

Seçenekler :

-o <outputfile> – Output Filename
-i <inputfile> – Use input file CLSID list
-d <notestfile> – Use don’t test CLSID List
-g – Generate base COM list
-k – Generate Kill Bit COM list
-l – Generate Interface Listings
-b – Load In Browser (IE)
-t – Test Interfaces Properties and Methods
-p – Test PARAMS (PropertyBag) in Internet Explorer
-s – Test PARAMS (Binary Scan) in Internet Explorer
-n – Print COM object information
-v – Print out version information
-r – Generate Kill Bit registry files

Örnek:

dranzer.exe -g

User Guide :

http://docs.google.com/Doc?docid=0ATn5yqW-bnJPZGhtZGNoZjVfMTAwYzU0NW04OXE&hl=tr

Döküman :

dranzer

Bakılması Tavsiye Kaynaklar :

http://www.cert.org/vuls/discovery/dranzer.html

M.Serhat Dündar

User Guide :

Overview

ActiveX and COM vulnerabilities have been getting much attention lately. ActiveX allows a web browser to use software components installed on a Windows machine. Scripting technologies can allow an attacker to control the memory contents of a machine. By combining scripting and ActiveX, an attacker can take advantage of flaws in COM objects, which may allow execution of arbitrary code, information disclosure, or other security violations.

Dranzer is a tool that can detect flaws in COM objects.

Target Audience

Dranzer can be useful to various groups of people:

1. Software developers can test COM objects as they are being developed. By testing during the software development process, developers can prevent vulnerabilities before the software is released to the public.

2. Software vendors can detect and fix flaws in their COM objects before attackers discover the flaws.

3. System administrators can assess the security of their systems with respect to COM objects.

ActiveX Vulnerability Classes

I. COM objects that crash Internet Explorer upon instantiation.

Some COM objects will crash Internet Explorer just by being referenced in a web page. The COM object may not have been intended for a web browser, but Internet Explorer will attempt to instantiate any COM object that is referenced in an <OBJECT> tag, regardless of whether the object is a traditional ActiveX control. Certain COM objects will cause Internet Explorer to crash in a manner that attackers can exploit to execute arbitrary code.

More information about this class of vulnerabilities is available in “Multiple COM objects cause memory corruption in Microsoft Internet Explorer” (http://www.kb.cert.org/vuls/id/959049).

II. COM objects that fail to properly validate input.

Attackers can use a script within a web page to control COM objects that are marked “Safe for scripting.” This script would call methods or access properties of the COM object. Attackers can control COM objects that are marked “Safe for initialization” by using <PARAM> tags in a web page. If the COM object fails to properly validate input, such as enforcing a maximum size for a string parameter, an attacker may be able to pass specially crafted parameters that would cause the object to crash Internet Explorer in a way that the attacker could exploit.

An example of this type of vulnerability is available in “RealPlayer ActiveX control contains buffer overflow in ‘ShowPreferences’” (http://www.kb.cert.org/vuls/id/698390).

III. COM objects that do not restrict access to its methods.

Unless special restrictions are in place, any web page can call the methods provided by safe-for-scripting COM objects. Attackers may be able to take advantage of some of these methods to disclose information unintentionally; they may even be able to download and execute applications.

An example of this type of vulnerability is available in “Microsoft Log Sink Class ActiveX control incorrectly marked ‘safe for scripting’” (http://www.kb.cert.org/vuls/id/165022).

Dranzer system requirements

Operating system: Windows Vista, XP or Windows 2000. Windows XP is preferred.

Browser: Internet Explorer with ActiveX enabled for the Internet Zone (IE 6 and earlier) and Local Intranet Zone (IE 7 or later)

Note: We do not recommend running Dranzer on production systems. The process of testing COM objects essentially involves executing pieces of code that exist on a system, and this may have adverse effects in a test environment.

Running Dranzer

C:\Program Files\Dranzer\Dranzer\Release>Dranzer.exe

Execution mode not specified use -g,-k,-l,-b, or -p

Usage: Dranzer.exe <options>

Options:

-o <outputfile> – Output Filename

-i <inputfile> – Use input file CLSID list

-d <notestfile> – Use don’t test CLSID List

-g – Generate base COM list

-k – Generate Kill Bit COM list

-l – Generate Interface Listings

-b – Load In Browser (IE)

-t – Test Interfaces Properties and Methods

-p – Test PARAMS (PropertyBag) in Internet Explorer

-s – Test PARAMS (Binary Scan) in Internet Explorer

-n – Print COM object information

-v – Print out version information

-r - Generate Kill Bit registry files

Dranzer has the ability to test all three of the COM vulnerability classes described above.

Class I: (-b)

With the “-b” option, Dranzer will check for COM objects that cause Internet Explorer to crash upon their instantiation.

Example usage:

Dranzer.exe -o testmachine_crashie.txt -b

Class II: (-t, -p, -s)

With the “-t” option, Dranzer will check for COM objects that fail to properly validate input to methods.

Example usage:

Dranzer.exe -o testmachine_report.txt -t

With the “-p” and “-s” options, Dranzer will check for COM objects that fail to properly validate input to initialization parameters. Dranzer will check for available parameters by using either the IPropertyBag interface or by scanning the binary file, respectively.

Example usage:

Dranzer.exe -o testmachine_param_bag.txt -p

Dranzer.exe -o testmachine_param_scan.txt -s

Class III: (-l)

With the “-l” option, Dranzer will enumerate the methods and properties of COM objects that are marked “safe for scripting.”

Example usage:

Dranzer.exe –o testmachine_methods.txt -l

Using baselines and exception lists

The “-g” option can be used to create a “baseline” list of COM objects installed on a machine. This capability can be useful for determining what COM objects an application provides. For example:

1) Create a baseline snapshot for the machine being used in the test:

Dranzer.exe -o baseline.txt -g

2) Install software package

3) Run Dranzer with the “-d” option to exclude the COM objects in the baseline:

Dranzer -d baseline.txt -o myapp_crashie.txt -b

Alternatively, you can execute the alltests.bat script to run all Dranzer tests for COM objects that do not exist in the baseline.txt file. Rather than using the command line listed in step 3, simply run alltests.bat. This will test only the new COM objects that were installed with the software package in step 2. Included in the Dranzer installation are the files xpprosp2.txt and vista.txt. These files contain a list of COM objects that come with Windows XP Professional SP2 and Windows Vista, respectively. You can use these files as a starting point for testing COM objects on a system if you were unable to generate a baseline before installing the software.

Using input lists

The “-i” option can be used if you wish to provide a list of the COM objects that you would like to be tested.

Example usage:

Dranzer.exe -i mycomobjects.txt -o myobjects_test.txt -t

This command will test the methods of the COM objects listed in the “mycomobjects.txt” input file.

Using Kill Bit Registry files

The “-r” option can be used in combination with any of the Dranzer tests (-t, -p, -s, or -b) if you wish to generate kill bit registry files to prevent Internet Explorer from using controls that Dranzer has found to be defective.

Example usage:

Dranzer.exe -t -r myobjects_test

This command will test the methods of all COM objects on a system, and any COM object that has failed the methods test will be added to the myobjects_test.reg file. Opening this file will merge the kill bit values into the registry, which will prevent Internet Explorer from using those controls. If you wish to undo the kill bit changes, simply open the “Undo” version of the .reg file.  This will revert the kill bit values back to their original state.

Interpreting the results

Class I: (-b)

The output file will contain a list of all COM objects that have caused Internet Explorer to crash on their instantiation. The crashes are usually caused by memory access violations.

As Dranzer encounters COM objects that cause Internet Explorer to crash, it will save HTML files in the current directory. Opening these files in Internet Explorer can help to verify the crashes. The file names will be {GUID}_load.html, where GUID is the identifier for the COM object.

Class II: (-t, -p, -s)

The output file will list all COM objects that have caused Internet Explorer to crash when Dranzer passed unexpected values to their methods. You can see the methods and properties that were accessed prior to the crash. The crashes are usually caused by memory access violations.

As Dranzer encounters COM objects that cause Internet Explorer to crash as the result of initialization parameters, it will save HTML files in the current directory. Opening these files in Internet Explorer can help to verify the crashes. The file names will be {GUID}_param_pb.html or {GUID}_param_bs.html, depending on which flag was used. Dranzer does not determine the specific parameter that caused the crash but rather includes all possible parameters in the HTML file.

Detailed crash analysis of COM objects

For both Class I and Class II COM object vulnerabilities, any access violation can indicate a vulnerability that an attacker may be able to exploit to execute arbitrary code. As a general rule, the more control an attacker has over the crash, the more likely that an arbitrary code execution vulnerability exists. Dranzer uses lowercase ‘x’ characters to test for buffer overflows, so any time the value “78” is seen in the crash details, it usually indicates an exploitable flaw. In certain circumstances, Dranzer will detect an access violation but will not show details such as memory locations and operation. This situation can happen when the buffer overflow causes the structured exception handler (SEH) to be overwritten. When the SEH is overwritten, Dranzer is not able to trap the access violation and will not be able to display the crash details for the method that caused the buffer overflow. In these cases, the very last method called for a COM object is suspect. When testing fixes for COM objects, Dranzer must be able to test the object without indicating any access violations in the results.

Dranzer output examples

Top-level errors

In the Dranzer output, these errors are listed at the beginning of each failed COM object. Possible errors include the following:

ERROR – Access violation (0xc0000005)

This error indicates a crash as the result of accessing an invalid area of memory.

ERROR – Buffer Overrun Fault (0xfffffff3)

This error is usually indicative of a buffer overflow that is caught by Microsoft’s /GS buffer security check. The /GS buffer overflow protection can make it more difficult to exploit the vulnerability. However, depending on what the vulnerable control’s code does, and whether the /SAFESEH flag was used, an attacker can often bypass this protection. Note that Dranzer can produce this error as a false positive if the control uses the same error code for other errors. Also note that Dranzer will not clearly indicate which method caused the buffer overrun fault error code, but it will be the last method or property listed in the Dranzer output.

ERROR – COM Object Exception Occurred (0xfffffff9)

The COM object has generated an exception, which is usually the result of a memory access violation.

ERROR – Internet Explorer Crashed (0xfffffff7)

The HTML test case caused IE to crash. Use the relevant HTML file in the Dranzer directory to reproduce the crash.

ERROR – COM Object Operation Hung (0xffffffff)

The COM object has not responded within the time allowed. Certain COM objects can hang when a web page attempts to use them; others can have specific methods that will cause the hang. With either of these situations, the errors are not normally exploitable, but in certain cases a buffer overflow or other error can cause memory corruption that will lead to a hang. You need to further investigate these errors by testing other input values, if possible, to determine if this is the case.

Method-level errors

In the Dranzer output, Method-level errors are listed for specific methods or properties. The following are example errors:

*****************************

*** Access Violation ***

*****************************

Invoked Property Get – ObjectName::short PropName()

Access violation at 0×6E205539 :Bad read on 0×00000000

This is a null pointer dereference access violation as the result of attempting to refer to the “PropName” property. It is less likely to be exploitable because of the null pointer and also because the property takes no parameters. However, keep in mind that the Dranzer testing is sequential, so a crash in a specific method or parameter may be the result of the actions that took place before (above) it.

*****************************

*** Access Violation ***

*****************************

Invoked Method – ObjectName::VARIANT_BOOL MethodName()

Access violation at 0×7C91142E :Bad read on 0×78787878

This indicates that a buffer overflow has taken place, with the memory address being the value specified in a buffer value (lowercase ‘x’ being 0×78 in ASCII). Depending on what the COM object is doing with the value that is being read from that location, this flaw has a high probability that an attacker can exploit it to execute arbitrary code. Note that this is another case in which the method that triggers the access violation is not the one that accepts user input. The buffer overflow likely took place in a previous parameter or method operation, but what is experienced can be considered a “second-order” flaw because the symptoms of the flaw are not immediately seen.

*****************************

*** Access Violation ***

*****************************

Invoked Method – ObjectName::long MethodName([in] BSTR ParameterName<”xxxx…..{10240}”>)

Access violation at 0×78787878 :Bad read on 0×78787878

This indicates a buffer overflow vulnerability that is trivially exploitable. Two identical memory addresses indicate that the COM object is trying to execute code at the specified address. In this case, it’s the hex value of the characters in the parameter specified for the method.

*****************************

*** Access Violation ***

*****************************

Invoked Property Get – ObjectName::long PropertyName(long ParameterName<-1>)

Access violation at 0×6338092E :Bad read on 0xFFFFFFFF

This is an example of a possible integer overflow. Depending on how the memory address can be affected by various parameter values, the flaw may be exploitable.

Note: If there is a top-level error reported, but no method-level violation is present, look at the last method or parameter that Dranzer tested in the output. This last entry is likely the one that caused the SEH to be overwritten or caused /GS protection to trigger. Both of these cases will prevent a method-level violation from being reported. Vulnerabilities in which the SEH is overwritten as the result of a buffer overflow are usually trivially exploitable.

The behavior where the test process is terminated unexpectedly can cause important flaws to be overlooked. This can happen when a method-level violation is reported, but also the last method tested causes one of the exceptions described above. Dranzer may not report the method-level exception in the output. To work around this situation, use Dranzer to retest COM objects after all reported violations are fixed in the code and pay special attention to the last method listed in Dranzer test reports.

Class III: (-l)

This class of vulnerabilities requires the most analysis to determine if there is a problem. Look for method names that an attacker could leverage. The following are some examples of dangerous methods:

ShellExecute(BSTR)

Reboot()

DownloadFile(BSTR,BSTR)

HttpPOST(BSTR,BSTR,BSTR)

GetUserName()

If the COM object does not restrict which web addresses can use the methods, attackers may be able to use the COM object to their advantage.

Other COM fuzzers

axfuzz – <http://sourceforge.net/projects/axfuzz>

axfuzz was the inspiration for creating Dranzer. With the axfuzz package, you must use a combination of the axenum and axfuzz tools to fuzz test an entire system. When the testing tools crash, the tools must manually be restarted at a specific control after the one that caused the crash, and crash details are not included in the reports.

COMRaider – <http://labs.idefense.com/labs-software.php?show=20>

COMRaider is a graphical tool for fuzz testing a single COM object. Crash details are included, which can help determine which COM flaws may be exploitable. Due to the program design, a high level of user interaction is required, and the tests take a long time to complete.

AxMan – <http://metasploit.com/users/hdm/tools/axman>

AxMan is a browser-based method fuzz tester. AxMan is designed to fuzz test all of the COM objects installed on a system, and the test process involves multiple steps. Once a crash is encountered, the test process must be manually restarted to begin again using a control that exists in the list after the one that caused the crash. COM objects that display dialogs or present the Internet Explorer information bar will require a user to manually click those items to continue the test process. AxMan does not appear to support Internet Explorer 7.

COM fuzzer comparison

A single COM object that was known to be vulnerable was used to compare the fuzz test tools:

References

Microsoft ActiveX security resources:

• “Designing Secure ActiveX Controls” (http://msdn.microsoft.com/en-us/library/aa752035.aspx)
• “ActiveX Security: Improvements and Best Practices” (http://msdn.microsoft.com/en-us/library/bb250471.aspx)
• “How to stop an ActiveX control from running in Internet Explorer” (http://support.microsoft.com/kb/240797)

“Results of the CERT/CC Security in ActiveX Workshop” (http://www.cert.org/reports/activeX_report.pdf)

Vulnerability notes:

• “Multiple COM objects cause memory corruption in Microsoft Internet Explorer” (http://www.kb.cert.org/vuls/id/959049)
• “RealPlayer ActiveX control contains buffer overflow in ‘ShowPreferences’” (http://www.kb.cert.org/vuls/id/698390)
• “Microsoft Log Sink Class ActiveX control incorrectly marked ‘safe for scripting’” (http://www.kb.cert.org/vuls/id/165022)

Other COM fuzzers:

• axfuzz (http://sourceforge.net/projects/axfuzz)
• iDefense Labs Fuzzing Software Tools (http://labs.idefense.com/software/fuzzing.php#more_comraider)
• AxMan (http://metasploit.com/users/hdm/tools/axman)

Если кому необходимо использовать ActiveX элементы для плагинов Eclipse, то для этого нужно использовать библиотеки SWT, которые содержат функции для работы с OLE объектами. Вот и меня постигла такая потребность, поэтому пришлось немного поэкспериментировать. Если что указал ниже некорректно, то прошу шибко не судить, т.к. java я использовал первый раз, что уж говорить про разработку плагинов к Eclipse.

Для начала своих опытов я скачал Eclipse, который содержит все, что нужно для создания плагинов: http://www.eclipse.org/downloads/download.php?file=/technology/epp/downloads/release/galileo/R/eclipse-rcp-galileo-win32.zip

Далее создал проект «Plug-in project» и при создании в мастере выбрал шаблон плагина «Plug-in with a view». И уже в новый проект добавил импорт необходимых классов:

import org.eclipse.swt.ole.win32.OleAutomation;
import org.eclipse.swt.ole.win32.OleControlSite;
import org.eclipse.swt.ole.win32.OleFrame;
import org.eclipse.swt.ole.win32.Variant;

Далее в классе представления плагина определил переменные необходимые для работы с OLE объектом:

private OleControlSite olesite;
private OleAutomation oleauto;

И в функцию createPartControl, предварительно убрав лишнее, внес изменения, т.е. добавление элемента на страницу представления:

public void createPartControl(Composite parent) {
        OleFrame frame = new OleFrame(parent, SWT.NONE);
        olesite = new OleControlSite(frame, SWT.NONE, “Word.Document”);
        oleauto = new OleAutomation(olesite);
}

Если же необходимо использовать методы и свойства встроенного элемента, то можно использовать следующие функции класса OleAutomation:

• setProperty – установить значение для свойства
• getProperty – получить значение для свойства
• invoke – выполнить метод

Небольшой пример для присваивания значения свойству:

        Variant valueq = new Variant((String) “New value”); // определяем новое значение
        int[] rgdispid = oleauto.getIDsOfNames(new String[]{“CtlName”});    // получаем номер свойства по его наименованию
        oleauto.setProperty(rgdispid[0], valueq); // устанавливаем новое значение

Ресурсы:

• Developing Eclipse plug-ins
• ActiveX Support In SWT
• Integrate ActiveX controls into SWT applications

PC World Tips: Ασφαλές σερφάρισμα – Internet, ασφάλεια, ασφαλές σερφάρισμα, βήμα βήμα, PC World συμβουλές, browser, security – PCW

Ρυθμίστε σωστά τον browser, ώστε να σερφάρετε με ασφάλεια, και μάθετε πώς να διαγράφετε τα ίχνη που αφήνουν οι περιηγήσεις σας

Οι δυο βασικοι τροποι προσβολής του PC μέσω του browser είναι αφενός η ανακατεύθυνση του URL και αφετέρου η εισαγωγή κώδικα (συνήθως ActiveX ή JavaScript), με τον οποίο μπορεί κανείς να προσβάλει το σύστημα και να προξενήσει ζημιά, με την έννοια ότι μπορεί να δει και να υποκλέψει αρχεία και δεδομένα, να χρησιμοποιήσει τους πόρους του υπολογιστή για δικό του σκοπό και να παρακολουθεί τις κινήσεις μας.[next]

I was called upon to create an ActiveX control using C# for our local intranet. This may not be the best way to do this and it certainly isn’t the only way, but it worked for me. This might be a nice starting point for anyone else struggling with this issue. For some reason I can only instantiate the ActiveX Object using JavaScript if I compile it using the commandline (csc.exe). I’m sure there’s a tweak in VS 2008 somewhere to fix this. Anyhow…

Step 1. Create a class library

For this example just put everything into a single class file. Normally I would not do this (separating interfaces, classes, etc. into their own .cs files).

Step 2. Create an interface that will be visible to JavaScript

This is just a plain ol’ public interface with methods and properties. You call these from the ActiveX object that you create and get the values that they return.

Step 3. Add code for the IObjectSafety interface into your class file

You can pretty much copy/paste the code in this article (although that would be plagiarism):
http://www.atalasoft.com/cs/blogs/rickm/archive/2009/06/03/net-2-0-activex-control-gotchas-safe-for-scripting-and-hooking-into-events.aspx

Step 4. Create a class that implements both of these interfaces

Add the [ClassInterface(ClassInterfaceType.AutoDual)] attribute to your class. Implement IObjectSafety as described in the other article above.

Step 5. Open the Visual Studio commandline

You should be able to find this under Programs/Program Files>Microsoft Visual Studio (2008/2005/…)>Visual Studio Tools>…command prompt.
Change directory to the output folder for your project.

Step 6. Create a keyfile to give the assembly a strong name

For example:
sn -k MyKeyFile.snk

Step 7. Compile using the VS commandline

For example:
csc /t:library ..\..\MyClassFile.cs /keyfile:MyKeyFile.snk

Step 8. Push the ActiveX control out to your clients and register it using the regasm tool

For example:
regasm MyActiveX.dll /tlb:MyActiveXNet.dll /codebase

Step 9: Call the ActiveX object from JavaScript

For example:
var x = new ActiveXObject(“ObjectNamespace.ObjectClassName”);
x.SomeMethod(someparams);

If you have questions, feel free to leave comments and I may answer them as I have time.

Michael Snead is a passionate IT enthusiast and professional application developer with years of experience in diverse corporate environments including everything from the family-owned to the multi-national enterprise. Michael’s hobbies include X10 home automation, his open-source home theatre PC and converting his own electric car.

UPDATE: My videochat recording site, wetoku.com, just joined the IE6 No More campaign!

Mashable.com has been an outspoken critic of ongoing support for the outdated Internet Explorer 6 browser.  I wish Peter Cashmore and his peeps would spend a few months in Korea, because then they might do something to help the far eastern peninsula do something about its unhealthy devotion to the outdated technology.

Today, I read something about the IE6 issue that caught my eye…

Microsoft Internet Explorer 6 was released in late 2001. For its time, it was a decent browser, but in 2009, it is still in use by a significant portion of the web population, and its time is now up.

As any web developer will tell you, working with IE 6 is one of the most difficult and frustrating things they have to deal with on a daily basis, taking up a disproportionate amount of their time. Beyond that, IE 6’s support for modern web standards is very lacking, restricting what developers can create and holding the web back.

(Source: http://ie6nomore.com on August 5, 2009)

Sites that are participating in the IE6 No More campaign

IE6 doesn’t support HTML5.  According to Mashable.com:

- Video Tag: By tagging a video with < video >, you can embed a video straight through HTML. Because of this, you can really control the look and feel of the video.

- Audio Tag: The same thing as video, audio embedding becomes a lot easier.

- Time: The tag will help browsers recognize time in HTML pages. There’s also < meter > for numeric values.

- Drag and Drop: While there’s still wrangling on this point, with HTML 5 you will eventually be able to drag and drop files right on the browser. This is most notable for Google’s upcoming communication product, Google Wave, a big reason why Google’s pushing hard for this.

- Local Storage: Web apps work just like desktop apps nowadays, except they can’t easily save work right to your computer. HTML 5 fixes that problem.

- Geolocation: With HTML 5, you should be able to make web apps that can determine your location and provide you more relevant information. With the rise of location-based mobile services, this is important.

- Canvas: The canvas HTML element allows for scriptable bitmaps. What that means is that you can create beautiful graphics or imagery on the fly within HTML, meaning the interface of many web apps can become a lot more dynamic and richer. Mozilla Bespin is a big project for code editing using HTML 5, one that – you guessed it – won’t work in IE6.

(Source: http://mashable.com/2009/07/16/ie6-must-die/ on August 5, 2009)

Yesterday, I was talking with a few of my developers about the true cost of commitment.  It was in a different context, but the theme comes to mind here.  Korea has made an overwhelming commitment to IE6 that would be appalling to any of the guys running the sites above, or anyone who is serious about innovation.  Security considerations aside (performing simple tasks online in Korea requires the installation of multiple ActiveX controls, which has led to an “install, install, install” mentality that I am now guilty of), IE6 just doesn’t support the type of innovation that is taking place on the web today.  This means that Koreans are, by and large, unexposed to cutting edge web 2.0 applications.  When we are, we shrug with a collective “meh”, because the sites don’t work with the browser we’re forced to use by banks, e-commerce sites and the government perform to slowly, doesn’t display the originally intended design (and therefore looks like the guys who made the site don’t know what they’re doing), or doesn’t support the features that make the site useful.  The saddest cost of Korea’s commitment to IE6 and ActiveX is the opportunity cost… how many prospective innovators here are under-exposed to global best-of-breed web technology, and therefore are less likely to participate in making the next generation of the web?

I highly recommend that you take a look at both Mashable’s articles on IE6, as well as http://ie6nomore.com.

Want to watch a .wmv file in your browser? Need to know how your blog feels in Internet Explorer? Or what about those pesky ActiveX controls? Don’t worry, this post just may have solved all of your Firefox problems:

Continuing my series of “must needed Firefox add-ons,” today’s add-on is IE Tab, a powerful tool that allows users to open links in an embedded Internet Explorer tab right in Firefox. Yes, this means ActiveX controls as well as IE’s smooth scrolling will now be directly available on Firefox. You can even run a Windows Update via this add-on.