ActiveX (out of) ControlsWeb browsers translate HTML received from web servers, as well as running scripts or other code retrieved from web servers such as ActiveX, JavaScript and Java. ActiveX is quite unique in that it has access to the core Windows Operating System, so effectively whatever can be done with Windows can also be done by the ActiveX program. Whilst very powerful, this also represents a potential security nightmare. Accordingly, Microsoft has a long history of security issues with this technology as it essentially allows 'Administrator' access via the browser to the client's machine. (If the user is logged in as Administrator at the time, otherwise it has the same privileges as the user.) Tales of early ActiveX exploits include a control that was unnoticeably downloaded while viewing a web page using Internet Explorer 3.1, with the ActiveX program running automatically. If the user had a certain well-known brand name accounting package on the machines hard drive and it was used to pay invoices electronically, the ActiveX program inserted a transaction into the next invoice paying session that transferred money directly to the hackers' account. Nasty. Microsoft's initial reaction to criticism was one of concern that users didn't realise that all executable content on the Internet is potentially dangerous, and that more end-user education was therefore needed. Soon after this they devised "Authenticode", a digital signature provided to those who register their ActiveX programs. This code signing, when used, allows end-users the ability to identify the author (e.g. IBM) of a program before allowing it to either be installed or executed on their computer. Microsoft relies on trust for this security model and warns against making ActiveX with dangerous capabilities. The responsibility, however, rests with the creator of the ActiveX, as in any trust model. It is important to note that Microsoft, and most other entities, do not verify precisely what a 'signed' programs does. They effectively certify that they have seen it, which unfortunately doesn't do much for the security of your computer. The problem is that any 'trusted' author is perfectly capable of writing bad code. Hackers can investigate signed controls for flaws and then apply them in a malicious manner, or they may simply create their own unsigned versions. Even with Microsoft's security model, many of Internet Explorer's security problems have been (and continue to be) ActiveX-related. As recently as June 2004, IBM made available methods that can allow a remote attacker to have a victim system silently download the file of their choice into the location of their choice. By downloading an executable file to the Startup folder, this malicious executable would be automatically executed on start up. Red faces all around. The simple solution that springs to mind is to banish this horrible ActiveX from ever touching your computers. But hold on, there's a problem. ActiveX is used by a lot of web sites out there, and if it disallowed will probably make the whole web experience seem very limiting. For example, Flash and RealPlayer utilise ActiveX. It is, however, possible to restrict use of ActiveX on Internet Explorer to make things less scary. One way to combat malicious web sites is to turn off or set to prompt for certain scripting and ActiveX options in Internet Explorer. However, if you visit 'trusted' web sites often, it can be extremely annoying to keep clicking "Yes" (or "No") on the same sites. Internet Explorer has settings that allow management of these trusted sites. To add often-visited web sites to the trusted category, go to Internet Explorer's Tools > Internet Options to bring up an Internet Options box (see picture below). Click on the Security tab and then Trusted sites (the 'tick'). Next, click on Sites… where trusted domains such as icaew.co.uk, can be added. When finished adding the trusted sites, click OK. When a domain or web site is placed in the trusted zone, it becomes a low-level security zone, which allows downloading content such as ActiveX controls and plug-ins, cookies, and all scripting. Unsigned ActiveX controls will still be blocked, and prompts will appear for any ActiveX loaded into the trusted web pages from third party sites (e.g. banner adverts) unless they too are from trusted domains! In summary, each time you decide to invite ActiveX into your web browser or email client, you are taking a gamble, even if it is from a 'trusted' source. It's therefore important to consider the damaging impact that it can have. Alan Phillips, 7Safe Information Security |
