ActiveX vulnerabilities have posed a security challenge for some time, and they're likely to be a challenge for quite some time to come. Look at examples such as Microsoft's patches this summer, which included a fix for Internet Explorer (MS-09034) and another (MS-09035) for Visual Studio 2005 and 2008.
These updates were released to protect users from a security hole in technology employed by developers to create powerful web-based application elements. More specifically, the flaws resided in the Active Template Library (ATL), which is a framework of code that helps to ease the creation of Component Object Models (COM) and ActiveX controls. Microsoft has an excellent overview of its ATL available here.
Vulnerabilities of this nature, not just those found in ActiveX controls but any pervasive platform such as Adobe Flash, Java or Silverlight, are insidious because they are used so widely. For instance, many of the world's largest software publishers, such as Adobe, Sun and Google, among many others, develop ActiveX controls for their applications. And exploits were developed and used in attacks against several applications reliant on ATL-built controls.
Unfortunately, this situation isn't unusual. Consider other vulnerabilities found in various ActiveX controls just this year. The flaws in many controls were serious, such as:
• 116502 eBay Enhanced Picture Services ActiveX Control Vulnerability
• 90510 Microsoft Video ActiveX Control Remote Code Execution Vulnerability (MS09-032)
• 116461 eBay Enhanced Picture Services ActiveX Control Update
• 116431 Sun Java Runtime Environment ActiveX Control Multiple Remote Vulnerabilities
• 19472 Microsoft SQL Server sqldmo.dll ActiveX Buffer Overflow Vulnerability
• 116401 Symantec Norton Ghost "EasySetupInt.dll" ActiveX Multiple Vulnerabilities
• 90495 Microsoft IAG 2007 ActiveX Control Multiple Stack Based Buffer Overflow Vulnerabilities
• 116360 SAP AG SAPgui EAI WebViewer3D ActiveX Control Stack Buffer Overflow Vulnerability
• 116318 IBM Access Support ActiveX Control Stack Buffer Overflow Vulnerability
• 116313 Orbit Downloader ActiveX Control "download()" Method Arbitrary File Delete Vulnerability
• 116232 BlackBerry Application Web Loader ActiveX Control Remote Buffer Overflow Vulnerability
• 116180 SAP GUI TabOne ActiveX Control Caption List Buffer Overflow
This most recent flurry of ActiveX flaws wasn't the first time there was such a flare-up. In 2007, following the release of a fuzz tester called AxMan (a fuzz tester, or "fuzzer," throws random data at software in an attempt to identify software flaws), more than 250 ActiveX vulnerabilities were found. The number, thanks to remedial efforts sparked by the discoveries, fell thereafter -- to 175 by 2008, and, so far this year, less than 50 were found.
Clearly, the freely available fuzzing tools were the catalyst behind the spike a number of years ago, and the rapid uptick wasn't sustainable. However, another reason for the reduction in overall ActiveX vulnerabilities is the broad movement of software makers to the software-as-a-service (SaaS) model. Software companies no longer develop their SaaS applications with just Internet Explorer in mind, but also Mozilla Firefox, Apple's Safari and Google Chrome, among others – so it makes sense that the reliance on ActiveX, in general, will trend down.
Additionally, Microsoft has taken steps in recent years to make ActiveX controls safer. These steps include the digital signing of installation packages, the requirement of controls to declare themselves safe for use in scripts, tighter default security settings and the blacklist of bad controls maintained within Internet Explorer. Microsoft has a list of these best practices for handling ActiveX here.
Microsoft also is phasing down its reliance on ActiveX, but don't expect this to markedly reduce ActiveX vulnerabilities any time soon. These controls still remain in a number of products, including ActiveX Data Objects (ADO), Active Server Pages, DirectShow, Collaboration Data Objects, Active Scripting, a technology for scripting ActiveX objects, as well as Microsoft's Advanced Systems Format.
One of the most effective ways to protect your organization from ActiveX vulnerabilities is to know what controls are running on which systems and determining whether vulnerable controls can be disabled with minimal or no business impact – and if so, shut them down as necessary.
That's not only good practice for ActiveX controls, but any widely used platform, whether ActiveX, Silverlight, Java, Flash or others. Unfortunately, as new development platforms and programming techniques continue to come online, it's a process security managers must master for the foreseeable future.
These updates were released to protect users from a security hole in technology employed by developers to create powerful web-based application elements. More specifically, the flaws resided in the Active Template Library (ATL), which is a framework of code that helps to ease the creation of Component Object Models (COM) and ActiveX controls. Microsoft has an excellent overview of its ATL available here.
Vulnerabilities of this nature, not just those found in ActiveX controls but any pervasive platform such as Adobe Flash, Java or Silverlight, are insidious because they are used so widely. For instance, many of the world's largest software publishers, such as Adobe, Sun and Google, among many others, develop ActiveX controls for their applications. And exploits were developed and used in attacks against several applications reliant on ATL-built controls.
Unfortunately, this situation isn't unusual. Consider other vulnerabilities found in various ActiveX controls just this year. The flaws in many controls were serious, such as:
• 116502 eBay Enhanced Picture Services ActiveX Control Vulnerability
• 90510 Microsoft Video ActiveX Control Remote Code Execution Vulnerability (MS09-032)
• 116461 eBay Enhanced Picture Services ActiveX Control Update
• 116431 Sun Java Runtime Environment ActiveX Control Multiple Remote Vulnerabilities
• 19472 Microsoft SQL Server sqldmo.dll ActiveX Buffer Overflow Vulnerability
• 116401 Symantec Norton Ghost "EasySetupInt.dll" ActiveX Multiple Vulnerabilities
• 90495 Microsoft IAG 2007 ActiveX Control Multiple Stack Based Buffer Overflow Vulnerabilities
• 116360 SAP AG SAPgui EAI WebViewer3D ActiveX Control Stack Buffer Overflow Vulnerability
• 116318 IBM Access Support ActiveX Control Stack Buffer Overflow Vulnerability
• 116313 Orbit Downloader ActiveX Control "download()" Method Arbitrary File Delete Vulnerability
• 116232 BlackBerry Application Web Loader ActiveX Control Remote Buffer Overflow Vulnerability
• 116180 SAP GUI TabOne ActiveX Control Caption List Buffer Overflow
This most recent flurry of ActiveX flaws wasn't the first time there was such a flare-up. In 2007, following the release of a fuzz tester called AxMan (a fuzz tester, or "fuzzer," throws random data at software in an attempt to identify software flaws), more than 250 ActiveX vulnerabilities were found. The number, thanks to remedial efforts sparked by the discoveries, fell thereafter -- to 175 by 2008, and, so far this year, less than 50 were found.
Clearly, the freely available fuzzing tools were the catalyst behind the spike a number of years ago, and the rapid uptick wasn't sustainable. However, another reason for the reduction in overall ActiveX vulnerabilities is the broad movement of software makers to the software-as-a-service (SaaS) model. Software companies no longer develop their SaaS applications with just Internet Explorer in mind, but also Mozilla Firefox, Apple's Safari and Google Chrome, among others – so it makes sense that the reliance on ActiveX, in general, will trend down.
Additionally, Microsoft has taken steps in recent years to make ActiveX controls safer. These steps include the digital signing of installation packages, the requirement of controls to declare themselves safe for use in scripts, tighter default security settings and the blacklist of bad controls maintained within Internet Explorer. Microsoft has a list of these best practices for handling ActiveX here.
Microsoft also is phasing down its reliance on ActiveX, but don't expect this to markedly reduce ActiveX vulnerabilities any time soon. These controls still remain in a number of products, including ActiveX Data Objects (ADO), Active Server Pages, DirectShow, Collaboration Data Objects, Active Scripting, a technology for scripting ActiveX objects, as well as Microsoft's Advanced Systems Format.
One of the most effective ways to protect your organization from ActiveX vulnerabilities is to know what controls are running on which systems and determining whether vulnerable controls can be disabled with minimal or no business impact – and if so, shut them down as necessary.
That's not only good practice for ActiveX controls, but any widely used platform, whether ActiveX, Silverlight, Java, Flash or others. Unfortunately, as new development platforms and programming techniques continue to come online, it's a process security managers must master for the foreseeable future.
