Research: Buggy, Flawed 'ActiveX' Controls Pervasive
Microsoft takes its share of lumps from security experts for building software that constantly requires security updates, but dozens of major corporations may also be guilty of piling their own security problems into Windows machines.
New data collected by at least one notable security researcher suggests that as much as 50 percent of all computers powered by Microsoft Windows might contain one or more non-Microsoft components that could allow malicious Web sites to seize control of them.
The components at issue all rely on ActiveX, a Microsoft creation that is deeply woven into the Windows operating system and in Microsoft's Internet Explorer Web browser. ActiveX was designed to allow Web sites to develop interactive, multimedia-rich pages, but such powerful features rarely ever come without security trade-offs.
Spyware and adware purveyors have long used ActiveX to install their junk programs on Windows machines. This usually happens when an IE user visits a Web site and is presented with a pop-up prompt asking the user to make a spot decision about whether or not to trust the Web site to install software.
This isn't to say that ActiveX controls are inherently dangerous. Indeed, many sites use them to provide legitimate services like movie, music and file viewers, interactive games, and -- on Microsoft's site -- security patches.
The trouble is that -- depending on the way certain security options are set in IE -- often the user is expected to make a decision before even viewing the content on the site and without a whole lot of information about the motives of the people asking for that trust.
As it turns out, a poorly designed ActiveX control distributed by a Fortune 500 company that most consumers already trust can be just as dangerous as a malicious control foisted by a dodgy Web site. According to estimates by Richard M. Smith, a privacy and security consultant at Boston Software Forensics, more than half of all Windows PCs contain one or more ActiveX controls which allow for system takeover from malicious Web pages.
The most recent high-profile scare over an ActiveX control came as part of the recent controversy over a flawed piece of anti-piracy software installed by certain Sony BMG music CDs. After the label released a program to help customers remove the software, security experts found that the program left behind an ActiveX control that any Web site could use to plant any files -- even viruses or spyware -- on a visitor's computer if they browsed the site with IE.
Part of the reason Sony's ActiveX component was potentially such a threat has to do with the way Windows machines are configured by default. In Windows XP computers with Service Pack 2 installed, for example, Internet Explorer allows Web sites to download software to the user's machine via ActiveX controls that are marked "safe for scripting." This means that any Web page can use the control and its methods, which in many cases includes the ability to download and execute potentially hostile code.
Smith said his research indicates that the Sony BMG case is just the most visible example of a far more pervasive problem with the way companies design and distribute such controls. Smith has spent several months refining a set of software tools that can scour Windows PCs for poorly designed ActiveX components that could expose users to serious security risks if they merely visit a specially crafted or hostile Web site.
Smith's tool checks ActiveX controls to see if they appear vulnerable to so-called "buffer overflow" flaws, relatively common and easily preventable programming errors that can cause a program to crash or allow it to be exploited by attackers. (Smith said he did not attempt the time-consuming process of developing an exploit for each ActiveX control he found with telltale signs of a buffer overflow problem. Rather, his research is based on the assumption that each flaw he found was potentiallly exploitable.)
Smith found dangerous security problems in ActiveX controls distributed by dozens of other major companies, including PC manufacturers and even some of the nation's largest Internet service providers. In a letter he sent last week to the CERT Coordination Center -- a group at Carnegie Mellon University's Software Engineering Institute that studies computer security vulnerabilities -- Smith noted that the results produced by his tools so far paint a grim picture for the current state of ActiveX security.
"In some cases, these insecure controls come pre-installed on a Windows PC from the factory," Smith wrote to CERT. "In other cases, insecure ActiveX controls are silently installed as part of application software packages. In most cases, these insecure controls are being distributed by brand-name, Fortune 500 companies."
Last month, America Online released a patch to fix a serious ActiveX flaw Smith found in the software AOL users need to get online through the company's service. Last year, Smith told telecom and Internet-service giant Verizon that the account-setup CD-ROMs the company sends to new customers contained a misconfigured ActiveX control that a Web site could manipulate to take over an affected user's machine.
Smith found another vulnerable control created by computer maker Hewlett-Packard that shipped with millions of brand new HP machines.
Another similarly defective ActiveX control made by a major Internet service provider was factory-installed on certain brands of computers starting in 2003. In that case, Smith found that the faulty control was active even if the user was not a customer of that ISP.
Using his diagnostic tools, Smith learned that a major printer manufacturer is distributing a number of "safe for scripting" controls with errors which are likely exploitable. The controls in question are used for product support and are silently installed by the application software CD-ROM that accompanies the printer maker's products.
And he's found plenty more examples like those. Based on the dozens of computers he's scanned so far using his software, Smith estimates that the average Windows PC has about 5,000 ActiveX controls installed by various programs, five to 10 percent of which will be marked "safe for scripting." Unfortunately, he said, many of those controls do not appear to have been written with an eye toward security.
"The problem is that anyone who writes an ActiveX control suddenly has to become Internet security expert -- and if they're not, they're most likely going to end up writing [an] ActiveX control that has a security vulnerability in it," Smith said in a telephone interview.
AOL, Verizon and HP have all issued updates to fix the problems Smith found. But not all companies distributing faulty ActiveX controls have the infrastructure in place to ship updates on a massive scale to their customers and users, and many third-party software developers who produce flawed controls likely do not even have a direct relationship with the user at all.
"Right now, we're in this really bad situation where some companies have distributed these things to millions of computers but have no way to notify users," Smith said.
Tom Liston, a senior consultant with Intelguardians, a Washington-based security consulting group, said ActiveX controls have been a scary thing for a long time because users are forced to rely on the good software-development practices of all of these third-party vendors.
"I would think that if [Smith] is finding a lot of buffer overflows in these third-party apps, it could open up a whole new can of worms because in a lot of cases, there's some serious targetability here based on which company supplied the control," Liston said.
For example, say an attacker knew that an ISP required all of its customers to set up their accounts using one of these flawed ActiveX controls. With a trivial effort, the attacker could spam out millions of e-mails just to that ISP's customers, urging them to click on a link that takes advantage of the flaw to install spyware or other unwanted software.
In the latest quarterly update to its list of the "Top 20" most critical new software vulnerabilities, the SANS Internet Storm Center listed a large number of flaws in third-party programs such as media players and security software. Experts observed that the list showed that even though Microsoft has gotten better about fixing easily exploitable flaws in its products, online criminals have shifted their attention to third-party programs built to run on top of Windows.
An attack exploiting poorly written third-party ActiveX controls would fit that trend, Liston said.
"To give Microsoft credit, with Service Pack 2 they've locked down a number of easy-to-exploit things, [but] when you start locking down ... the operating system, the next step for the bad guys is to go after third-party apps," Liston said. "When you have such a wide range of software-development practices out there, you're going to find low-hanging fruit, and this ActiveX stuff is about as low-hanging as it gets."
Also to Microsoft's credit, Service Pack 2 tweaked IE settings so that switching off ActiveX and scripting will not -- for the most part -- ruin the seamless browsing experience that users expect with annoying error messages. Instead of throwing up warning boxes that prevent a page from loading, the browser now puts a small notice directly beneath the browser's address bar when I visit sites that use ActiveX (for example, F-Secure Corp.).
If you use IE to surf the Web, take a minute to read over Microsoft's recommendations on ways to harden the browser's security settings.
Posted by: CC | January 31, 2006 1:38 PM | Report abuse
Posted by: Steve Wildstrom | January 31, 2006 3:30 PM | Report abuse
Posted by: Ken L | January 31, 2006 4:33 PM | Report abuse
Posted by: GTexas | January 31, 2006 4:45 PM | Report abuse
Posted by: Anonymous | January 31, 2006 7:23 PM | Report abuse
Posted by: Anonymous | February 1, 2006 12:57 AM | Report abuse
Posted by: Steve | February 1, 2006 9:33 AM | Report abuse
Posted by: goodone | February 1, 2006 10:38 PM | Report abuse
Posted by: Mark Odell | February 10, 2006 2:52 PM | Report abuse
The comments to this entry are closed.