Full Disclosure mailing list archives
RE: Software vendors just don't get ActiveX security
From: "mattmurphy () kc rr com" <mattmurphy () kc rr com>
Date: Thu, 3 Jul 2003 14:30:14 -0400
Software vendors continue to not understand ActiveX security issues. I found a number of ActiveX controls on my laptop which are marked "safe for scripting", but they are clearly not. These controls contain methods which can be used from a Web page to do things like run programs, download files from Web sites to the local hard drive, provide file system access, etc.
Yes, several vendors have made errors, and even Microsoft, the inventor of ActiveX, has had its stumbles: Unsafe Functions in Office Web Components (OWC) http://www.microsoft.com/technet/security/bulletin/ms02-044.asp Outlook View Control Exposes Unsafe Functionality http://www.microsoft.com/technet/security/bulletin/ms01-038.asp Unsafe ActiveX Controls Vulnerability in Internet Explorer http://www.microsoft.com/technet/security/bulletin/ms99-037.asp The biggest problem with this entire class of vulnerabilities is that the flaws are often trivial to exploit. In general, the original design of ActiveX was poorly done -- it completely omitted any procedure for dealing with controls containing security vulnerabilities. IMO, if there were a review process associated with a "Safe for Scripting" control, these vulnerabilities could be reduced. At least as far as Microsoft is concerned, these issues appear to be declining in number. MS99-037 fixed an entire list of potentially vulnerable components, and since then, only two controls that deliberately exposed unsafe functionality have been found. Deliberately exposing unsafe functionality excludes things like buffer overflows, which are purely accidental (we hope), and go beyond ActiveX into more general security issues. [snip]
Every Windows computer I've owned since 1998 has come preinstalled with ActiveX controls which were mismarked as "safe for scripting". I don't see this problem getting solved. There doesn't seem to be any mechanism for educating software vendors about ActiveX security. The same mistakes are being made over and over again. Perhaps ActiveX security is just too difficult.
In my opinion, designating "safety" should not rest with a potentially biased developer. There should be an external entity for testing code safety, much as there is for proving the authenticity of code -- although this has been historically broken. Unfortunately, ActiveX is much like the rest of internet technology -- security is an after-thought. I do not see this broader cycle being broken anytime soon, until technology consumers demand appropriate infrastructure for dealing with present flaws, as well as potential future vulnerabilities. -------------------------------------------------------------------- mail2web - Check your email from the web at http://mail2web.com/ . _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Software vendors just don't get ActiveX security mattmurphy () kc rr com (Jul 03)