Network News

X My Profile
View More Activity
Posted at 6:00 PM ET, 06/27/2008

Taming Internet Explorer Browser Plug-Ins

By Brian Krebs

Security Fix has often lamented the lack of decent point-and-click software tools to help Microsoft Internet Explorer Web browser users kill insecure "ActiveX controls," plug-ins for IE that have traditionally been among the biggest avenues of attack from spyware and adware. That's why I'm pleased to call attention to a free new tool called "AxBan," which helps neuter insecure ActiveX plug-ins installed by some of the most widely used third-party software applications.

ActiveX is a Microsoft creation woven into both IE and the Windows operating system. It was designed to allow Web sites to develop interactive, multimedia-rich pages. However, such powerful features rarely ever come without security trade-offs.

Poorly designed ActiveX controls can be an extremely potent weapon for cyber crooks, since most ActiveX controls distributed with third party software are marked "safe for scripting." This means that they will run when invoked and without requiring the user's permission. As a result, any Web page can use the control and its methods, which in many cases includes the ability to download and execute potentially hostile code.

Not only are ActiveX vulnerabilities frequently targeted by hackers, they are among the most common browser-related vulnerabilities. In its latest Internet Security Threat Report, Symantec documented some 239 new vulnerabilities in Web browser plug-ins. Plug-ins for Adobe Acrobat, Flash, Java, Mozilla Firefox, QuickTime and Windows media player made up 21 percent of those, while the rest were all ActiveX related vulnerabilities.

Source: Symantec Corp.

While it is true that IE7 includes some extra security protections to prevent the automatic downloading of ActiveX controls, IE7 does nothing to prevent the execution or manipulation of ActiveX controls already installed by third-party software programs like Adobe Reader, QuickTime, iTunes, Java, and Flash, to name just a few. In my experience, tons of programs - from printer software to media players and social-networking site plug-ins - install their own ActiveX controls, but most people who have those controls installed would never miss them if they were removed or deactivated.

The 1.5 Beta version of the AxBan, developed by Errata Security, is available from this link here. When you start the program, it will warn you that using AxBan changes the system registry and to proceed at your own risk. I've used this program on at least four systems now with no ill-effects, and the chances that this will actually mess up your system are pretty close to nil, as the changes are slight.

When the main program window opens, click on the "ActiveX" tab to see which ActiveX plug-ins you have installed - those installed and activated will be listed in red. Click the "Killbit" button to deactivate those ActiveX controls. If you need to reactive them in the future for any reason, you can always restart the program, highlight the programs in question, and select the "Unkillbit Selected" button.

The latest AxBan version is decent, but it certainly has room to grow, as it currently only lists a tiny fraction of the total known, faulty or potentially dangerous ActiveX controls. To its credit, however, Errata has included an update feature, which should check for new ActiveX threats the company may have flagged since the user's last scan.

By Brian Krebs  | June 27, 2008; 6:00 PM ET
Categories:  From the Bunker, Latest Warnings, Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Free Tools to Secure Your Web Site
Next: Data Breach Reports Up 69 Percent in 2008


So, if I understand correctly, even if I do not use IE except for Microsoft Update, I would be wise to install AxBan and kill any red ActiveX controls that it finds from other other programs and possibly IE.

Am I right on that?

Posted by: Rosie | June 27, 2008 7:41 PM | Report abuse

Sounds like a nice addition, but I get plenty of Active X control with WinPatrol. Is there something I'm missing here?

Posted by: The Dean | June 27, 2008 9:08 PM | Report abuse

I prefer my own layered solution:
1. Aggressively limit the software installed on my system. That means no QuickTime, Adobe Reader, iTunes, Java, or other third party ActiveX controls (except Flash Player). Basically boils down to WMP 11, Flash Player, MSXML 6 (MSXML 3's all disabled), and those needed for the Microsoft Update site.
2. Use IE's Manage Add-ons to disable all control's except Flash Player and MSXML 6 for the daily used non-admin account. The admin account has only the Microsoft Update add-ons enabled.
3. Enable already installed add-ons (ex. WMP, MSXML 3) on an as needed basis only, then disable them promptly when no longer needed.
4. Install Microsoft's latest cumulative ActiveX killbit update (via Microsoft/Windows Update) or see
4. For highly secure websites (anything financial via https), start IE without any Add-ons (right click desktop shortcut and choose "Start without Add-ons".

Posted by: TJ | June 27, 2008 9:59 PM | Report abuse

my menu bar of inetnet explorer has disappeared. how you restore it please?

Posted by: sarina | June 28, 2008 8:10 PM | Report abuse

@Sarina -- Try hitting the F11 key.

Posted by: Bk | June 28, 2008 10:58 PM | Report abuse

This tool requires the so-called dot net framework - which I don't want any more than bad ActiveX controls.

Fortunately there are ways to avoid ActiveX altogether : best of all, run Linux ! And if running Windows, who needs ActiveX anyway, allow it only for Windows Update.

Posted by: Ninho | June 29, 2008 5:35 AM | Report abuse

There is no reason today to use IE 6,7, or 8.

Firefox has proven to be a much better browser in terms of not only security but also stability, performance, and feature-set.

Posted by: Al | June 29, 2008 4:17 PM | Report abuse

You can avoid ActiveX problems while in Windows by using Opera.

Posted by: Galvin | June 29, 2008 6:03 PM | Report abuse

I have both the Adobe controls just as shown in the picture above. Killing the #4
disables the current installed version of flash which is 9,0,124,0. This version is considered dangerous? Vista SP1.

Posted by: Aggie60 | June 30, 2008 12:16 AM | Report abuse

"This tool requires the so-called dot net framework"

While I can't confirm that as I refuse to install .net on my systems (no need for it or do I want it), if true it brings up an interesting problem with these tools (ex. Secunia's Software Inspector requires Java). On one hand they are supposed to help you secure your system. On the other, they require that certain software be installed on your system which can actually raise your system's attack surface offsetting the original benefit of the tool.

Posted by: TJ | June 30, 2008 7:59 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2013 The Washington Post Company