UCF STIG Viewer Logo

Unsigned Category 1A mobile code must not be used in the application in accordance with DoD policy.


Overview

Finding ID Version Rule ID IA Controls Severity
V-70289 APSC-DV-002870 SV-84911r1_rule Medium
Description
Use of un-trusted Level 1A mobile code technologies can introduce security vulnerabilities and malicious code into the client system. 1A code is defined as: - ActiveX controls - Mobile code script (JavaScript, VBScript) - Windows Scripting Host (WSH) (downloaded via URL or email) When JavaScript and VBScript execute within the browser they are Category 3, however, when they execute in WSH, they are 1A.
STIG Date
Application Security and Development Security Technical Implementation Guide 2017-01-09

Details

Check Text ( C-70765r1_chk )
Review the application documentation and interview the application administrator to identify any mobile code that is provided by the application for client consumption.

If the application does not contain mobile code, or if the mobile code executes within the client browser, this is not applicable.

The URL of the application must be added to the Trusted Sites zone. This is accomplished via the Tools, Internet Options, and “Security” Tab.

Select the “Trusted Sites” zone.
Click the “sites” button.
Enter the URL into the text box below the “Add this site to this zone” message.
Click "Add”.
Click “OK”.

Note: This requires administrator privileges to add URL to sites on a STIG compliant workstation.

Next, test the application. This testing should include functional testing from all major components of the application.

If mobile code is in use, the browser will prompt to download the control. At the download prompt, the browser will indicate that code has been digitally signed.

If the code has not been signed or the application warns that a control cannot be invoked due to security settings, this is a finding.
Fix Text (F-76525r1_fix)
Configure the application so Category 1A mobile code is signed.