Raise Your Hand if You're Using ActiveX
If your hand is up, consider yourself open to attack.
ActiveX vulnerabilities are getting very tiresome. First, like so many
others, this control will only be found on very few machines. Granted,
those machines will typically be an administrators machine, but
nevertheless, they are very few and far between. Ergo, this is going to
be exploited as a target-of-choice attack. Systems that perform such tasks
should be run by knowledgeable, security-aware individuals, so the likelihood
that theyll visit a criminal Web site is equally low. So any attack
that is likely to work will probably be done internally, by a fellow employee
with an Intranet Web site.
That said, it's pathetic that so many years after its introduction, ActiveX
controls are still being coded wrong. It would be trivial to have this
control site-locked such that it could only speak directly with one or
several systems to which it should be speaking. Who needs to use this
control with a system they are currently unaware of? The answer is simple:
nobody! Whether its via a key exchange or simply IP address-blocking,
it would be simple to build such functionality into all such ActiveX controls
and make vulnerabilities like this more or less irrelevant.
Alas, it would seem that the state of secure programming is still abysmal.
Herewith, a few of the problems that have been patched lately having to
do with ActiveX controls and buffer overflow vulnerabilities:
First up: Many DVD dlayers may be vulnerable to a buffer overflow in
a commonly used ActiveX control. Updates
InterActual and CinePlayer are two applications that are known to be
vulnerable, and both are widely deployed. While exploitation of ActiveX
controls is usually minimal, we would not be surprised to see this incorporated
into those existing sites that are already trying to exploit other Windows
vulnerabilities. As always, the victim must be enticed into visiting the
criminal site in the first place.
McAfee's ePolicy Orchestrator and ProtectionPilot sitemanager ActiveX
control, which is used in the management of a server product, also contains
a buffer overflow vulnerability. The ActiveX control should be found only
on machines that run the server product itself or the remote management
console. Exploitation of the vulnerability can result in code of the criminals
choice running in the security context of the victim user. Updates are
This column was originally
published in our weekly Security Watch newsletter. To
subscribe, click here.
Bad Backup Plan
Okay, this one doesn't involve an ActiveX control: An unauthenticated
criminal could send malicious RPC packets via 6502 tcp and 111 udp to
a CA BrightStor ARCserve Backup server and cause an overflow in the tape
service. Exploitation could result in code of the criminals choice
running in the security context of the service. Patches
Yet another vulnerability in a backup service, this flaw is likely to
be a problem on large open networks such as those at .EDU networks.
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.