How to disable the ADODB.Stream object from Internet Explorer

Article translations Article translations
Article ID: 870669 - View products that this article applies to.
Expand all | Collapse all

On This Page

An ADO stream object contains methods for reading and writing binary files and text files. When an ADO stream object is combined with known security vulnerabilities in Microsoft Internet Explorer, a Web site could execute scripts from the Local Machine zone. To help protect your computer from this kind of attack, you can manually modify your registry.

INTRODUCTION

An ADO stream object represents a file in memory. The stream object contains several methods for reading and writing binary files and text files. When this by-design functionality is combined with known security vulnerabilities in Microsoft Internet Explorer, an Internet Web site could execute script from the Local Machine zone. This behavior occurs because the ADODB.Stream object permits access to the hard disk when the ADODB.Stream object is hosted in Internet Explorer.

MORE INFORMATION

Any line-of-business Web application that requires a file to be loaded or to be saved to the hard disk may use the ADODB.Stream object in Internet Explorer. For example, if an intranet server hosts a form that an employee must download and fill out, the ADODB.Stream object is used to obtain the file and to save the file locally. After the user edits the file locally and submits the file back to the server, the ADODB.Stream object is used to read the file from the local hard disk and to send the file back to the server.

We strongly recommend that you use different methods to provide this functionality. For example, you may use an application or a control that requires the user to deliberately access the hard disk.

Software update information

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows


Microsoft has provided three ways to disable the ADODB.Stream object from Internet Explorer. You can use Microsoft Windows Update to update your computer, you can download an update file from the Microsoft Download Center, or you can disable the ADODB.Stream object manually.

These methods work by creating the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{00000566-0000-0010-8000-00AA006D2EA4}
This registry key has a GUID for the ADODB.Stream object. When Internet Explorer recognizes this registry key, Internet Explorer does not permit the component to be started in the browser.

Important notes

  • If you are running the ADODB.Stream object from a server (middle tier), disabling the ADODB.Stream object on the server does not affect ADODB.Stream object functionality with Microsoft Internet Information Services (IIS).
  • If you are running the ADODB.Stream object from a client by using Internet Explorer, disabling the ADODB.Stream object stops the ADODB.Stream object from being created in Internet Explorer.

Windows Update

To install this update, visit the following Microsoft Web site:
http://update.microsoft.com

Microsoft Download Center update

To disable the ADODB.Stream object by using a registry key update that is available from the Microsoft Download Center, visit one of the following Microsoft Web sites, depending on your operating system:

Windows XP, Windows 2000, Windows NT, Windows Server 2003
http://www.microsoft.com/downloads/details.aspx?FamilyId=4D056748-C538-46F6-B7C8-2FBFD0D237E3&displaylang=en
Windows 9x, Windows Me
http://www.microsoft.com/downloads/details.aspx?FamilyId=FE2A5B1C-FF30-40A0-8E70-C9F1F4DCD8C2&displaylang=en
Windows XP Version 2003, 64-Bit Edition , Windows Server 2003, 64-Bit Edition
http://www.microsoft.com/downloads/details.aspx?FamilyId=E7576B19-DE8B-41B0-BBD9-06C39591CECF&displaylang=en
Additional information and download instructions are available on the Microsoft Download Center Web site.

Manual process

To disable the ADODB.Stream object by manually creating the registry key, follow these steps:
  1. Close any open Internet Explorer browser windows.
  2. Click Start, and then click Run.
  3. In the Open box, type Regedit, and then click OK.
  4. In Registry Editor, locate the following registry key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility
  5. Right-click ActiveX Compatibility, point to New, and then click Key.
  6. Type the following name for the key:
    {00000566-0000-0010-8000-00AA006D2EA4}
  7. Right-click the new key, point to New, and then click DWORD Value.
  8. Name the value Compatibility Flags.
  9. In the right pane, right-click Compatibility Flags, and then click Modify.
  10. In the Edit DWORD Value dialog box, make sure that the Hexadecimal option is selected, type 400 in the Value data box, and then click OK.
  11. Close Registry Editor.
When you set the compatibility flag, the ADODB.Stream object cannot access the hard disk of your computer in Internet Explorer. However, the ADODB.Stream object can still access your hard disk outside Internet Explorer.

Important notes

When you add this registry key, only the ADODB.Stream object in Internet Explorer is affected. No other ADO objects are affected by this change.

After you apply the update, you will receive the following error message when you try to use an ADO stream object from an HTML page in Internet Explorer:
ActiveX component can’t create object: ‘ADODB.Stream’
If you are running an application in a corporate intranet environment, and the corporate intranet environment currently uses the ADODB.Stream object with Internet Explorer, applying this update may cause the application to break. To restore application functionality, Microsoft recommends that you first set your Internet Explorer browser security level to High, and then you must clear the compatibility flag of the ADODB.Stream object
  1. To set your Internet Explorer browser security to high, follow these steps:
    1. In Internet Explorer, click Internet Options on the Tools menu.
    2. Click the Security tab. Under Select a Web content zone to specify its security settings, click Internet.
    3. Click Default Level, and then move the slider to High.
    4. Click Apply, and then click OK to close the Internet Options dialog box.
  2. Clear the compatibility flag of the ADODB.Stream object for Internet Explorer by setting the value to zero (0x0). Setting the value to zero (0x0) disables the key and restores functionality. To manually set the compatibility flag to zero, follow these steps:
    1. Click Start, and then click Run.
    2. In the Open box, type Regedit, and then click OK.
    3. In Registry Editor, locate the following registry key:
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{00000566-0000-0010-8000-00AA006D2EA4}
    4. In the right pane, double-click Compatibility Flags.
    5. In the Edit DWORD Value dialog box, make sure that the Hexadecimal option is selected, type 0 in the Value data box, and then click OK.
    6. Close Registry Editor.
Note You must restart Internet Explorer for your changes to take effect.

REFERENCES

For additional information about how to strengthen the Local Machine zone in Internet Explorer, click the following article number to view the article in the Microsoft Knowledge Base:
833633 How to strengthen the security settings for the Local Machine zone in Internet Explorer
For more information about Internet security, visit the following Microsoft Web site:
http://www.microsoft.com/protect/computer/advanced/browsing.mspx
For additional information about how to stop ActiveX controls from running on your system, click the following article number to view the article in the Microsoft Knowledge Base:
240797 How to stop an ActiveX control from running in Internet Explorer

Properties

Article ID: 870669 - Last Review: February 3, 2011 - Revision: 6.7
APPLIES TO
  • Microsoft Internet Explorer 5.5
  • Microsoft Internet Explorer 6.0
  • Microsoft Data Access Components 2.5
  • Microsoft Data Access Components 2.6
  • Microsoft Data Access Components 2.7
Keywords: 
kbPubTypeKC atdownload kbinfo KB870669

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com