Network News

X My Profile
View More Activity

Research: Buggy, Flawed 'ActiveX' Controls Pervasive

Microsoft takes its share of lumps from security experts for building software that constantly requires security updates, but dozens of major corporations may also be guilty of piling their own security problems into Windows machines.

New data collected by at least one notable security researcher suggests that as much as 50 percent of all computers powered by Microsoft Windows might contain one or more non-Microsoft components that could allow malicious Web sites to seize control of them.

The components at issue all rely on ActiveX, a Microsoft creation that is deeply woven into the Windows operating system and in Microsoft's Internet Explorer Web browser. ActiveX was designed to allow Web sites to develop interactive, multimedia-rich pages, but such powerful features rarely ever come without security trade-offs.

Spyware and adware purveyors have long used ActiveX to install their junk programs on Windows machines. This usually happens when an IE user visits a Web site and is presented with a pop-up prompt asking the user to make a spot decision about whether or not to trust the Web site to install software.

This isn't to say that ActiveX controls are inherently dangerous. Indeed, many sites use them to provide legitimate services like movie, music and file viewers, interactive games, and -- on Microsoft's site -- security patches.

The trouble is that -- depending on the way certain security options are set in IE -- often the user is expected to make a decision before even viewing the content on the site and without a whole lot of information about the motives of the people asking for that trust.

As it turns out, a poorly designed ActiveX control distributed by a Fortune 500 company that most consumers already trust can be just as dangerous as a malicious control foisted by a dodgy Web site. According to estimates by Richard M. Smith, a privacy and security consultant at Boston Software Forensics, more than half of all Windows PCs contain one or more ActiveX controls which allow for system takeover from malicious Web pages.

The most recent high-profile scare over an ActiveX control came as part of the recent controversy over a flawed piece of anti-piracy software installed by certain Sony BMG music CDs. After the label released a program to help customers remove the software, security experts found that the program left behind an ActiveX control that any Web site could use to plant any files -- even viruses or spyware -- on a visitor's computer if they browsed the site with IE.

Part of the reason Sony's ActiveX component was potentially such a threat has to do with the way Windows machines are configured by default. In Windows XP computers with Service Pack 2 installed, for example, Internet Explorer allows Web sites to download software to the user's machine via ActiveX controls that are marked "safe for scripting." This means that any Web page can use the control and its methods, which in many cases includes the ability to download and execute potentially hostile code.

Smith said his research indicates that the Sony BMG case is just the most visible example of a far more pervasive problem with the way companies design and distribute such controls. Smith has spent several months refining a set of software tools that can scour Windows PCs for poorly designed ActiveX components that could expose users to serious security risks if they merely visit a specially crafted or hostile Web site.

Smith's tool checks ActiveX controls to see if they appear vulnerable to so-called "buffer overflow" flaws, relatively common and easily preventable programming errors that can cause a program to crash or allow it to be exploited by attackers. (Smith said he did not attempt the time-consuming process of developing an exploit for each ActiveX control he found with telltale signs of a buffer overflow problem. Rather, his research is based on the assumption that each flaw he found was potentiallly exploitable.)

Smith found dangerous security problems in ActiveX controls distributed by dozens of other major companies, including PC manufacturers and even some of the nation's largest Internet service providers. In a letter he sent last week to the CERT Coordination Center -- a group at Carnegie Mellon University's Software Engineering Institute that studies computer security vulnerabilities -- Smith noted that the results produced by his tools so far paint a grim picture for the current state of ActiveX security.

"In some cases, these insecure controls come pre-installed on a Windows PC from the factory," Smith wrote to CERT. "In other cases, insecure ActiveX controls are silently installed as part of application software packages.  In most cases, these insecure controls are being distributed by brand-name, Fortune 500 companies."

Using a tiny bit of a Javascript -- a powerful programming language commonly found on Web sites -- an attacker could create a Web page that attempts to break into a system by methodically trying out a series of exploits against known ActiveX security flaws. "Such a Web page would basically be a door rattler that keeps trying out exploits until it finds an open door into a system," Smith said.

Last month, America Online released a patch to fix a serious ActiveX flaw Smith found in the software AOL users need to get online through the company's service. Last year, Smith told telecom and Internet-service giant Verizon that the account-setup CD-ROMs the company sends to new customers contained a misconfigured ActiveX control that a Web site could manipulate to take over an affected user's machine.

Smith found another vulnerable control created by computer maker Hewlett-Packard that shipped with millions of brand new HP machines.

Another similarly defective ActiveX control made by a major Internet service provider was factory-installed on certain brands of computers starting in 2003. In that case, Smith found that the faulty control was active even if the user was not a customer of that ISP.

Using his diagnostic tools, Smith learned that a major printer manufacturer is distributing a number of "safe for scripting" controls with errors which are likely exploitable. The controls in question are used for product support and are silently installed by the application software CD-ROM that accompanies the printer maker's products.

And he's found plenty more examples like those. Based on the dozens of computers he's scanned so far using his software, Smith estimates that the average Windows PC has about 5,000 ActiveX controls installed by various programs, five to 10 percent of which will be marked "safe for scripting." Unfortunately, he said, many of those controls do not appear to have been written with an eye toward security.

"The problem is that anyone who writes an ActiveX control suddenly has to become Internet security expert -- and if they're not, they're most likely going to end up writing [an] ActiveX control that has a security vulnerability in it," Smith said in a telephone interview.

AOL, Verizon and HP have all issued updates to fix the problems Smith found. But not all companies distributing faulty ActiveX controls have the infrastructure in place to ship updates on a massive scale to their customers and users, and many third-party software developers who produce flawed controls likely do not even have a direct relationship with the user at all.

"Right now, we're in this really bad situation where some companies have distributed these things to millions of computers but have no way to notify users," Smith said.

Tom Liston, a senior consultant with Intelguardians, a Washington-based security consulting group, said ActiveX controls have been a scary thing for a long time because users are forced to rely on the good software-development practices of all of these third-party vendors.

"I would think that if [Smith] is finding a lot of buffer overflows in these third-party apps, it could open up a whole new can of worms because in a lot of cases, there's some serious targetability here based on which company supplied the control," Liston said. 

For example, say an attacker knew that an ISP required all of its customers to set up their accounts using one of these flawed ActiveX controls. With a trivial effort, the attacker could spam out millions of e-mails just to that ISP's customers, urging them to click on a link that takes advantage of the flaw to install spyware or other unwanted software.

In the latest quarterly update to its list of the "Top 20" most critical new software vulnerabilities, the SANS Internet Storm Center listed a large number of flaws in third-party programs such as media players and security software. Experts observed that the list showed that even though Microsoft has gotten better about fixing easily exploitable flaws in its products, online criminals have shifted their attention to third-party programs built to run on top of Windows.

An attack exploiting poorly written third-party ActiveX controls would fit that trend, Liston said.

"To give Microsoft credit, with Service Pack 2 they've locked down a number of easy-to-exploit things, [but] when you start locking down ... the operating system, the next step for the bad guys is to go after third-party apps," Liston said. "When you have such a wide range of software-development practices out there, you're going to find low-hanging fruit, and this ActiveX stuff is about as low-hanging as it gets."

Also to Microsoft's credit, Service Pack 2 tweaked IE settings so that switching off ActiveX and scripting will not -- for the most part -- ruin the seamless browsing experience that users expect with annoying error messages. Instead of throwing up warning boxes that prevent a page from loading, the browser now puts a small notice directly beneath the browser's address bar when I visit sites that use ActiveX (for example, F-Secure Corp.).

If you use IE to surf the Web, take a minute to read over Microsoft's recommendations on ways to harden the browser's security settings.

By Brian Krebs  |  January 31, 2006; 11:38 AM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Be Careful With Winamp Links
Next: Firefox Update Mends 8 Security Flaws


Just use Mozilla's Firefox. Firefox, while not 100% free of potential corruption it is much-much safer than Internet Explorer. The Washington Post has published at least one story to this effect.

Not only is it safer but it also offers tabbed browsing-which is awesome once you get the hang of it. Until IE gets the 'bugs' out I'll be using Firefox for most of my browsing.

Posted by: CC | January 31, 2006 1:38 PM | Report abuse

IE7, due out this fall, takes the restrictions on ActiveX execution considerably further than SP2. For the first time, it will take a hard look and often require intervention before running controles already locally cached, I don't have all the details, but it is going to break a lot of custom corporate apps.

Posted by: Steve Wildstrom | January 31, 2006 3:30 PM | Report abuse

Firefox is not as secure as you might think.

A plain-vanilla install of Firefox 1.5 lacks the ability to set up either a blacklist or a whitelist for Java/Javascript. It's either on or off.

Firefox users should install the "NoScript" extension to block Java and Javascript at all web sites except those that the user specifically permits. This extension can also block those silly Flash animations used by so many clueless developers.

Posted by: Ken L | January 31, 2006 4:33 PM | Report abuse

IE7? MS must be taking a lot of heat because the "official" line is:

Q. Will the enhancements to Internet Explorer in Windows XP Service Pack 2 be made available for versions of Windows released prior to Windows XP?
A. At this time, we do not have plans to make the enhancements for Internet Explorer in Windows XP Service Pack 2 available for versions of the Windows operating system released prior to Windows XP. This includes Windows 2000 Professional, Windows NT 4, Windows 98, and Windows Millennium Edition. However, we do remain committed to providing security updates to our customers on all supported Windows versions.

Q. Is Microsoft planning to deliver a new stand-alone version of Internet Explorer?
A. Our current plan is to deliver Internet Explorer features and technologies with major Windows releases, such as a Windows operating system service pack or a new Windows version. At this time, we do not have plans to release a new stand-alone version of Internet Explorer. By aligning Internet Explorer updates more closely with Windows releases, customers will benefit in two ways:

The number of updates that customers need to install and maintain will be minimized.

Microsoft can deliver more integrated software solutions that will better meet customer needs.

We will continue to improve current versions of Internet Explorer, particularly around security and stability, and ensure customers using supported versions of Internet Explorer have access to appropriate updates.


Posted by: GTexas | January 31, 2006 4:45 PM | Report abuse

Well, there is another solution--run Mac OS X. Significantly fewer headaches like this is good reason enough...

Posted by: Anonymous | January 31, 2006 7:23 PM | Report abuse

Another ActiveX problem -

Posted by: Anonymous | February 1, 2006 12:57 AM | Report abuse

Quite simply ActiveX Controls should never have been given the priviledges and scope they had in the first place. Why Microsoft choose to ignore all the computing experience of previous decades and produce something far inferior and unsuited for the purpouse remains a mystery to me.

Posted by: Steve | February 1, 2006 9:33 AM | Report abuse


Posted by: goodone | February 1, 2006 10:38 PM | Report abuse

>>If you use IE to surf the Web, take a minute to read over Microsoft's recommendations on ways to harden the browser's security settings.

And then, after you've read it, just set it aside for the time being, and follow these recommendations instead (which will actually in fact harden IE, just not in the way Microsoft choose to define "harden"):

Apparently, even with (or in spite of) their new-found emphasis on security, Microsoft still regard ActiveX as sacrosanct and inviolable, and thus won't ever advise you to just disable it in all zones except Trusted Sites. Such specific advice is conspicuous by its absence from the following pages:

This advice is still fragmentary:

and this is only about disabling individual ActiveX controls.

Posted by: Mark Odell | February 10, 2006 2:52 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company