RE: Software vendors just don't get ActiveX security

["mattmurphy () kc rr com" <mattmurphy () kc rr com>]

> Software vendors continue to not understand ActiveX security issues.  I
> found a number of ActiveX controls on my laptop which are marked "safe
> for scripting", but they are clearly not.  These controls contain
> methods which can be used from a Web page to do things like run
> programs, download files from Web sites to the local hard drive, provide
> file system access, etc.

Yes, several vendors have made errors, and even Microsoft, the inventor of
ActiveX, has had its stumbles:

Unsafe Functions in Office Web Components (OWC)
http://www.microsoft.com/technet/security/bulletin/ms02-044.asp

Outlook View Control Exposes Unsafe Functionality
http://www.microsoft.com/technet/security/bulletin/ms01-038.asp

Unsafe ActiveX Controls Vulnerability in Internet Explorer
http://www.microsoft.com/technet/security/bulletin/ms99-037.asp

The biggest problem with this entire class of vulnerabilities is that the
flaws are often trivial to exploit.  In general, the original design of
ActiveX was poorly done -- it completely omitted any procedure for dealing
with controls containing security vulnerabilities.

IMO, if there were a review process associated with a "Safe for Scripting"
control, these vulnerabilities could be reduced.  At least as far as
Microsoft is concerned, these issues appear to be declining in number. 
MS99-037 fixed an entire list of potentially vulnerable components, and
since then, only two controls that deliberately exposed unsafe
functionality have been found.  Deliberately exposing unsafe functionality
excludes things like buffer overflows, which are purely accidental (we
hope), and go beyond ActiveX into more general security issues.

[snip]

> Every Windows computer I've owned since 1998 has come preinstalled with
> ActiveX controls which were mismarked as "safe for scripting".  I don't
> see this problem getting solved.  There doesn't seem to be any mechanism
> for educating software vendors about ActiveX security.  The same
> mistakes are being made over and over again.  Perhaps ActiveX security
> is just too difficult.

In my opinion, designating "safety" should not rest with a potentially
biased developer.  There should be an external entity for testing code
safety, much as there is for proving the authenticity of code -- although
this has been historically broken.

Unfortunately, ActiveX is much like the rest of internet technology --
security is an after-thought.  I do not see this broader cycle being broken
anytime soon, until technology consumers demand appropriate infrastructure
for dealing with present flaws, as well as potential future vulnerabilities.

--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html