IP: New ActiveX security problems in Windows 98 PCs from RISKS

[Dave Farber <farber () cis upenn edu>]

> Date: Thu, 22 Jul 1999 22:12:27 -0400
> From: "Richard M. Smith" <smiths () tiac net>
> Subject: New ActiveX security problems in Windows 98 PCs
>
> At work, I recently started using a new HP Pavilion computer that is running
> Windows 98.  As part of ongoing research into Internet security issues, I
> discovered that this computer was shipped with 2 ActiveX controls, which are
> extremely dangerous.  These controls can be easily misused on a Web page to
> gain access to the computer and run programs. More worrisome however script
> code can be embedded in an HTML Email messages and the controls accessed in
> Outlook, Outlook Express, and Eudora.  The controls are marked "safe" for
> scripting even though they can do things like launch programs and read and
> write the Windows registry.
>
> Using these controls, some of the malicious things that can be done include:
>
>    - Automatically install a computer virus or other malicious software
>      on a system. 
>
>    - Turn off all Windows security checking, making a system wide-open
>      for future attacks.
>
>    - Read personal files for the local hard disk and silently upload
>      them to a remote Web site.
>
>    - Delete document files from the local hard drive.
>
>    - Remove Windows system files so that a system can no longer be booted.
>
> With less than 30 minutes of effort, I was able to construct a test Email
> message that downloads a Windows executable file from a remote FTP site and
> installs it on the local hard drive using one of these ActiveX controls.
> After the file is successful installed, it then is executed.  For my test
> message, I download and run the Windows calculator.  However, the Email
> message can download any Windows program such as the ExplorerZip virus or
> Back Orifice 2000 install program.  In Outlook Express, this all happens
> automatically when the Email message is read.  There are no attachments that
> have to be clicked on and no warnings with default security settings.
>  
> My test Email message contains only about 10 lines of JavaScript code to
> direct one of the HP ActiveX controls to do the download and run the
> program.  Anyone with experience in JavaScript programming could easily
> duplicate the code that I wrote.  For obvious reasons, I will not be
> publically releasing this test Email message.
>
> Microsoft's Authenticode security system built into Internet Explorer is of
> no use here because the ActiveX controls are pre-installed on the computer
> and not downloaded from the Internet.  Authenticode only allows users to
> prevent downloading of questionable ActiveX controls, not their execution
> once they are installed on a system.
>
> The ActiveX controls are shipped on the HP system for use in system
> diagnostic package called SystemWizard.  This package is a product of
> SystemSoft (<http://www.systemsoft.com>).  The intention is these controls
> would only be used in SystemWizard and no where else.  However, because the
> controls are marked safe for scripting, any Web page or Email message can
> use the controls in any manner they like.  The controls either never should
> have marked safe in the first place or the controls need to do their own
> security checking.  Unfortunately neither precaution was taken.
>
> The two SystemSoft controls are just thin wrappers around a number of Win32
> system calls.  The Launch ActiveX control allows a JavaScript program to run
> a DOS or Windows program and pass in command line parameters.  The RegObj
> ActiveX control allows a JavaScript program to read, set, and scan registry
> keys.  The controls are accessed on a Web page simply by including an HTML
> <OBJECT> tag with appropriate parameters.  Pretty obviously, it is not a
> good idea to allow JavaScript programs to make direct Win32 system calls
> with such ease!
>
> To give an idea how easy the Launch control is to misuse, the following
> JavaScript call will remove the contents of someone's entire "My documents"
> directory using the old DOS deltree command:
>
>     Launch('c:\\command.com', '/c deltree /y "c:\\My documents\\*.*"');  
>
> Both of the SystemWizard ActiveX controls were created last year and my
> understanding have been shipped on most HP desktop systems in the US retail
> channel for at least the last 6 months.  The number of computers, which are
> vulnerable, is therefore quite substantial.  The same controls may also
> being shipped on other brands of computers.
>
> After being alerted to the problems of these two controls, SystemSoft is
> providing a patch file to fix the security holes.  This patch file can be
> downloaded from their Web site at this URL:
>
>    <http://www.systemsoft.com/support/syswiz/index.htm>
>
> In addition to the two SystemSoft ActiveX controls, I also found an another
> ActiveX control pre-installed on the HP system with a privacy leak in it.
> The control can give out Windows 98 registration information such as name,
> address, and phone number to a Web site.  This control was supplied by
> Encompass Corporation (now part of Yahoo) and is used in an ISP sign-up
> program.  The control is marked safe for scripting on a new computer, but is
> marked unsafe for scripting the first time dial-up networking (DUN) is used
> on the system.  This issue is specific to this machine/build of the
> software.  Unfortunately on my HP system, I use a LAN connection to access
> the Internet and therefore the Encompass control stays marked safe for
> scripting forever and could give out registration information (limited to
> name, address, phone number) to a malicious person.  Since I didn't use the
> dial-up portion of the ISP sign up, I just removed the registration
> application by going to the add/remove program files and choosing the "Easy
> Internet Access" application.  The control also remains safe for scripting
> if one uses AOL as an ISP because AOL does not use DUN support in Windows
> 98.
>
> Since Encompass has distributed versions of the software on a different
> machines, I've put together a demo page that will test a system to see if
> the system has a version of the control that could release registration
> information to a malicious person.  The test page can be found at:
>
>    <http://www.tiac.net/users/smiths/acctroj/reginfo.htm>
>
> I also upgrade from version 4 of Internet Explorer to version 5 on the HP
> system.  Unfortunately this upgrade installed yet another dangerous ActiveX
> control on the system.  This control is the DHTML editing control, which can
> be easily misused to read files from the local hard drive and upload them to
> a Web server.  This bug was discovered in March 1999 and has been fixed by
> Microsoft but the majority of IE5 users still are vulnerable because not
> many people know about the problem.  A security bulletin and patch for this
> ActiveX control can be found on the Microsoft Web site:
>
>    <http://www.microsoft.com/security/bulletins/ms99-011.asp>
>
> How did so many of these insecure ActiveX controls get installed on my
> computer in the first place?  Because Internet Explorer (IE4 or IE5) comes
> bundled with Windows 98, it is becoming an increasing popular for computer
> manufacturers to build specialized utilities for their PCs using IE4 just
> like HP has done.  These utilities include registration software, ISP
> sign-up programs, and shells for running common applications.  With Internet
> Explorer 4 it is very easy to develop user-interfaces for these types of
> utilities using standard HTML pages.  ActiveX controls are then typically
> used in these applications to provide low-level access to the Windows
> operating system to do things like run applications, access the registry, or
> read and write files.  These controls are only suppose to be used inside the
> applications they are designed for.  However, IE4 has no built-in mechanism
> for restricting use of a particular ActiveX control to be used with
> particular Web pages.  Therefore it is up to application developer to
> provide a security mechanism in their ActiveX controls.
>
> After looking at the problems of the HP system, I decided to check out other
> new Windows 98 systems from other computer manufacturers for similar unsafe
> ActiveX controls.  The first thing I discovered that is very common for
> manufacturers to ship utilities built as Web pages on their computers.  Most
> of these applications included ActiveX controls for doing things like
> running programs and accessing the registry.  The controls had names like
> "SpawnApp", "SafeLanuch", "RegRead", and "Run".  However, because I didn't
> have direct access to these systems, I have no method to test to see if
> these controls can be misused or not.  Because their is no built-in security
> system in place for pre-installed ActiveX controls it is up to the person
> who writes the control to make sure they are safe.  I have inquired to a
> number of computer manufacturers about the controls I saw, but so far have
> not received back any responses.  Given the subtle nature of ActiveX
> security issues, I wouldn't be surprised that other computer models have
> serious security problems also.
>
> A typical Windows 98 system today ships with about 50 pre-installed ActiveX
> controls that are marked safe for scripting.  Because ActiveX controls are
> Win32 programs it's not possible to really know if a control is really safe
> or not.  The developer's claims about safety cannot necessarily be trusted.
> Without systematic and detailed testing it is not possible to know if given
> control is really safe.  I don't believe full testing is really being done
> today.  For example, here is information about another Microsoft ActiveX
> control that is still being distributed with the Windows 98 Resource Kit
> today:
>
>    <http://support.microsoft.com/support/kb/articles/Q218/6/19.ASP>
>
> This Resource Kit ActiveX control allows Windows programs to be
> executed from a Web page or HTML Email message.
>
> What can users do about all of these different ActiveX security holes?  One
> approach is download patches to fix security holes as they are found.
> Unfortunately for most user's it is not possible to know what ActiveX
> controls are even installed on their system, never mind knowing which ones
> are really safe.  It might require going to 4 or 5 different Web sites just
> sees what security patches are available.  A pretty impossible task for
> almost anyone.
>
> One easy thing users can do is completely turn off ActiveX controls in
> Internet Explorer.  This is done on the security tab of the "Internet
> Options..." command in Internet Explorer.  This option however is only
> available if the Web site that one goes to don't use ActiveX controls.
>
> What can computer manufacturers and software companies do about the problem
> of security holes in pre-installed ActiveX controls?  As it turns out,
> Internet Explorer 5 already offers a great solution.  IE5 supports a new
> feature called HTML applications (or .HTA files).  An HTML Application is
> built like a Web page but can only be loaded and execute from the hard
> drive.  Because an .HTA file comes from the local drive and not the
> Internet, scripts on the page are a completely trusted and are allowed to
> use all ActiveX controls installed on a system whether the controls are
> marked safe or not.  For an HTML application, none of its private ActiveX
> controls have to marked safe for scripting and therefore the controls cannot
> be misused on Web pages.
>
> For current systems, my recommendation is that computer manufacturers need
> to review carefully all the ActiveX controls which are pre-installed on
> computers that are going out the door.  In the review, each control needs to
> be checked for potential security problems.  It is particularly important to
> look at controls, which make Win32 system calls to load and execute other
> programs, read and write files, and access the registry.
>
> I've created a Web page on my personal Web site that will check to see what
> potentially unsafe ActiveX controls are installed on a system.  The URL for
> the test page is:
>
>    <http://www.tiac.net/users/smiths/acctroj/axcheck.htm>
>
> Security problems with ActiveX controls have been a concern for a long time,
> because these controls are binary programs that are allow to make any kind
> of Windows system call.  The industry has mostly been worried about ActiveX
> controls that were intentionally created with malicious code.  Microsoft
> addresses these concerns with the Authenticode security system which allows
> users to decide if they trust a particular author enough to run controls
> that the author has written.  Authenticode is based on adding digital
> signatures to controls.
>
> However, the pattern I see here is a much different issue.  Instead we have
> computer and software vendors installing ActiveX controls on systems without
> any notification and these controls for whatever reasons contain security
> holes in them.  As I've pointed out here, I found 4 different ActiveX
> controls on my HP system for 3 different vendors which compromised the
> safety on my system.  Not exactly a great track record!  Going forward I
> hope that PC makers take a closer look at that the ActiveX controls that
> they are shipping on their systems.  You never know who might be using that
> hidden-away ActiveX to create problems for us computer users.