- ActiveX

                                                     DATE:  
COMMAND                                            SOURCE: 
                                                   AUTHOR: 
  ActiveX


SYSTEMS AFFECTED

  Systems running ActiveX

  

PROBLEM


    ActiveX  is  an  attractive  technology  that  many  of you may be

    tempted to use  through your Web  browser. This is  fine and dandy

    if you trust every single site on the net that you visit. But,  if

    you're like most of us who  surf blindy from site to site  looking

    for new and exciting things, you just may be asking for trouble.



    ActiveX inherits the permissions of the user logged on locally  to

    the machine the controls run  on. In other words, if  your browser

    supports  ActiveX  and  you  have  this  feature enabled, then the

    control has the same authority you do. If you have  administrative

    rights,  so  do  the  ActiveX  controls  --  which  can be a nasty

    problem.



    There has  been a  great deal  of talk  about how ActiveX controls

    can be written to do  malicious things on the Internet.   However,

    what  has  not  being  recognized  is  that  even standard ActiveX

    controls  can  be  made  to  do  malicious  things  via  HTML  and

    VBScript.   Here  are  two  simple  examples  of  "good"   ActiveX

    controls being made to do "bad" things:



        The computer crashing URL - file:///aux



    If Microsoft's ActiveMovie  control is told  to play a  movie from

    the URL  file:///aux Internet  Explorer will  go into  an infinite

    loop under Windows 95.   Attempting to shutdown Internet  Explorer

    by doing an "End Task" will more often then not crash Windows  95.

    This bug can be exploited by  the "bad guys" to create HTML  pages

    that will crash people's  computers when the pages  are downloaded

    from a web site.



    Even  more  worrisome  are  ActiveX  controls that contain methods

    (i.e., function calls) that write  files to disks.  These  methods

    can be used by a  simple VBscript program to overwrite  key system

    files like AUTOEXEC.BAT, CONFIG.SYS,  REG.DAT etc.  The  damage is

    done simply  by viewing  an HTML  page that  contains the  ActiveX

    control  and  the  malicious  VBScript  code.   I know of at least

    three commercially  available ActiveX  controls that  have methods

    that will save files to disk.   Any of these controls, I  believe,

    can be exploited to  build a disk crash  HTML page.  At  least two

    of these  controls have  valid Authenticode  digital signatures so

    that they can be  automatically downloaded and executed  even with

    the highest security settings in Internet Explorer 3.





EXPLOIT

  

SOLUTION


    Disabled  all  ActiveX  scripts,  controls,  and  plug-ins on your

    browser. Then when you're certain  that a site is safe,  turn them

    on ONLY while  surfing that site  - and turn  them back off  again

    when you're done. Do the same thing for Java and Javascript too.