Security Watch

Raise Your Hand if You're Using ActiveX

If your hand is up, consider yourself open to attack.

• By Russ Cooper
• 05/07/2007

ActiveX vulnerabilities are getting very tiresome. First, like so many others, this control will only be found on very few machines. Granted, those machines will typically be an administrator’s machine, but nevertheless, they are very few and far between. Ergo, this is going to be exploited as a target-of-choice attack. Systems that perform such tasks should be run by knowledgeable, security-aware individuals, so the likelihood that they’ll visit a criminal Web site is equally low. So any attack that is likely to work will probably be done internally, by a fellow employee with an Intranet Web site.

That said, it's pathetic that so many years after its introduction, ActiveX controls are still being coded wrong. It would be trivial to have this control site-locked such that it could only speak directly with one or several systems to which it should be speaking. Who needs to use this control with a system they are currently unaware of? The answer is simple: nobody! Whether it’s via a key exchange or simply IP address-blocking, it would be simple to build such functionality into all such ActiveX controls and make vulnerabilities like this more or less irrelevant.

Alas, it would seem that the state of secure programming is still abysmal. Herewith, a few of the problems that have been patched lately having to do with ActiveX controls and buffer overflow vulnerabilities:

First up: Many DVD dlayers may be vulnerable to a buffer overflow in a commonly used ActiveX control. Updates are available.

InterActual and CinePlayer are two applications that are known to be vulnerable, and both are widely deployed. While exploitation of ActiveX controls is usually minimal, we would not be surprised to see this incorporated into those existing sites that are already trying to exploit other Windows vulnerabilities. As always, the victim must be enticed into visiting the criminal site in the first place.

McAfee's ePolicy Orchestrator and ProtectionPilot sitemanager ActiveX control, which is used in the management of a server product, also contains a buffer overflow vulnerability. The ActiveX control should be found only on machines that run the server product itself or the remote management console. Exploitation of the vulnerability can result in code of the criminal’s choice running in the security context of the victim user. Updates are available here and here.

Want More Security? This column was originally published in our weekly Security Watch newsletter. To subscribe, click here.

Bad Backup Plan
Okay, this one doesn't involve an ActiveX control: An unauthenticated criminal could send malicious RPC packets via 6502 tcp and 111 udp to a CA BrightStor ARCserve Backup server and cause an overflow in the tape service. Exploitation could result in code of the criminal’s choice running in the security context of the service. Patches are available.

Yet another vulnerability in a backup service, this flaw is likely to be a problem on large open networks such as those at .EDU networks.