IDS mailing list archives
ActiveX programs
From: "Ravi Chunduru" <ravi.is.chunduru () gmail com>
Date: Wed, 4 Jun 2008 18:42:22 -0700
i am not familiar with windows technologies much. Please correct if I am wrong. my understanding is that once activex programs are installed, these functions can be activated by javascript in browser context. They don't have origin policy concept as provided by browsers for applets. Because of this, users when they get attracted to malicious website, users might inadvertently provide control of their machine (or execute some commands), if the java script in the pages access vulnerable function of already installed activex programs. today i saw one CVE disclosure : CVE-2008-0953: HP Online Support ActiveX Multiple Vulnerabilities. there is very good POC at http://www.csis.dk/dk/forside/CSIS-RI-0003.pdf. I found this in full-disclosure mailing list. In that document, there is snort rule, which is checking for a specific clsid. My question is on false positives. Won't it give false positive, if user is going to HP support site? IMO, the rule should check for 'Host' field for in addition to clsid. 'Host field value should not have '*hp.com". since host and clsid information comes in two different directions (client to server in case of Host and service to client in case of clsid), it may require two rules with state tracking. Am I making sense? thanks Ravi. ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- ActiveX programs Ravi Chunduru (Jun 05)