ActiveX programs

["Ravi Chunduru" <ravi.is.chunduru () gmail com>]

i am not familiar with windows technologies much.  Please correct if I
am wrong.
my understanding is that once activex programs are installed, these
functions can be activated by
javascript in browser context.  They don't have origin policy concept
as provided by browsers for
applets.  Because of this, users when they get attracted to malicious
website, users might inadvertently
provide control of their machine (or execute some commands), if the
java script in the pages access vulnerable
function of already installed activex programs.

today i saw one CVE disclosure :  CVE-2008-0953:  HP Online Support
ActiveX Multiple Vulnerabilities.
there is very good POC at
http://www.csis.dk/dk/forside/CSIS-RI-0003.pdf.  I found this in
full-disclosure mailing list.
In that document, there is snort rule, which is checking for a specific clsid.

My question is on false positives.  Won't it give false positive, if
user is going to HP support site?
IMO, the rule should check for 'Host' field for  in addition to clsid.
'Host field value should not have '*hp.com".  since host and clsid
information comes in two
different directions (client to server in case of Host and service to
client in case of clsid),  it may require two rules with state
tracking.

Am I making sense?

thanks
Ravi.

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------