11.1 ActiveX

Team-Fly

	Malicious Mobile Code: Virus Protection for Windows By Roger A. Grimes Slots : 1
	Table of Contents
	Chapter 11.  Malicious ActiveX Controls

Unlike Java, there isn't an ActiveX programming language. Instead, ActiveX is a group of Microsoft software development tools that allow Windows programs to work across networks. Initially code-named "Sweeper," the ActiveX architecture was formally announced at a San Francisco developer's conference in early 1996, as Microsoft's way to address the booming Internet programming market. At that conference, a slew of new tools were announced in support of ActiveX, including VBScript, the OLE Scripting Service, new APIs, Microsoft-developed Internet protocols, and ActiveX controls. Microsoft released these new tools as part of its ActiveX Software Development Kit (SDK). ActiveX is an extension of Microsoft's 32-bit Windows API and Component Object Model (COM) models, and is now covered under the umbrella of the Distributed COM (DCOM) architecture. DCOM encompasses all programming tools that allow a Windows client to use a server program over a network. This distributed programming architecture is eventually culminating in Microsoft's .NET initiative (covered in Chapter 15).

Although it began as a reactionary response to competitive pressures, ActiveX is really just a natural evolution of Microsoft APIs which allow data to be shared between applications. Microsoft's Object Linking and Embedding (OLE) technology allows users to place data objects from one application into another, something DOS couldn't do. The first versions of OLE allowed users to copy data objects from one program to another. For example, a graphic chart could be copied from a spreadsheet into a word processor. The next phase of OLE allowed a linked object to "live" in another application. Now, a user could edit a chart in a word processor, and with an OLE link to a spreadsheet have the changes made in one appear automatically reflected in the other. ActiveX extends the functionality and allows, not just the data, but the entire application to be shared across the Internet.

Today, you can save a spreadsheet or document directly to the Web, or allow multiple users flung far across the Internet to make changes to a document you created. Objects, pictures, even sound files, can be linked from their distributed locations onto one page. ActiveX includes all the tools and methods to allow programmers to distribute their applications across the Web into users' desktops.

ActiveX programs can be installed, used, and executed by hundreds of applications, including Microsoft's Outlook, Outlook Express, and Office product lines. Throughout this chapter, I will be discussing ActiveX as it runs within a browser only.

11.1.1 ActiveX Controls

An ActiveX control is an executable program that can be automatically delivered over the Internet where it usually runs within a browser. Contrasted against Java applets, which are created in their own special language, ActiveX controls can be written in many different languages, including C++, Visual Basic, Visual C++, Delphi, Powersoft, Java, C-Sharp (C#), and Visual J++. And because ActiveX controls are based on the OLE specification, controls written in one language can be re-used within controls written in another language. ActiveX controls are compiled into fast 32-bit machine language for Windows platforms. This means they can run only on systems that work with the Win32 API and lose the portability advantaged gained by Java.

Since ActiveX controls are compiled programs originating from a variety of programming languages, they aren't limited to a basic set of routines. Besides being able to jazz up web pages and build sophisticated user forms, ActiveX controls can be any program they want to be. Complete spreadsheet and database programs are no problem. Local disk systems can be manipulated, connections can be established to other computers and networks, files transferred, and all of this is invisible to the user. It is this feature-rich openness that worries security experts. Every type of malicious code exploit that can be attempted with viruses, worms, and Trojans, can be accomplished with ActiveX.

When you accept a control for the first time, the control is downloaded to your computer and the appropriate registry entries are created. Controls are registered in the HKCR\ CLSID subkey , and can also be found in HKLM\Software\Classes. ActiveX controls usually have the file extension, .OCX , which stands for OLE Control, but a control could have any extension . The typical Windows system has dozens of controls installed. Most are located in C:\%windir%\SYSTEM and C:\%windir%\Program Files\Common Files\Microsoft Shared , if you have MS Office installed. Controls downloaded and installed by Internet Explorer are usually located at C:\%windir%\Download Program Files .

Files in C:\%windir%\Download Program Files are specifically concealed by the newer versions of Windows and will not show up with a File Find or DIR command. But you can use Windows Explorer or the DOS Change Directory and find the hidden subdirectory.

Internet Explorer 3.x stores ActiveX controls in C:\%windir%\OCCACHE.

11.1.2 ActiveX Scripting

Scripting languages, like VBScript, JScript, JavaScript, Python, PowerScript, Tck/Tk, and Perl, can be used within a web page to direct the functionality of an ActiveX control. ActiveX controls can be written to run differently based upon the parameters passed to it by the scripting language that calls it. For example, a web site can start the ActiveX downloading process as soon as the web page loads, or tell the control to manipulate different files based on end-user input.

11.1.2.1 Safe for scripting and initializing

ActiveX controls can be defined as Safe for Scripting and Safe for Initialization by the software publisher. By designating the control as safe, the vendor is saying that the control cannot be used maliciously and is safe to be manipulated by other scripting languages. Safe for Initialization means that no matter what values are passed to the control during its startup, it cannot do damage to a user's system. Safe for Scripting means that the control cannot be used maliciously no matter how its manipulated. Although each control has two safety settings, most of the popular press focuses on the Safe for Scripting moniker, even though they're referring to both. Controls that can create, read, or write files, or write to the registry are not considered explicitly safe, unless their actions are predetermined and specific.

Without this predefined safety check, a seemingly innocuous program could easily be used to do harm that the original publisher (programmer) did not intend. For example, a control could be made to function as a popup word processor that a user could write with and save notes. If marked Safe For Scripting, a malicious web page might be able to load the control, create and save new files, and use it to overwrite the user's startup files. There is much discussion within the security industry over this controversial setting. Particularly, how does a vendor guarantee his control to be bug free and not susceptible to maliciousness from other programs? There is no standard way for a vendor to test the safety of their code. As we will see later, it's difficult for a vendor to consider all the possibilities of their program's interactions.

Safe for Scripting or Initialization does not mean the control is safe for use. There might be a control that scrambles and deletes all your files when you execute it. As long as the result was not implemented by a script or initiated during startup by an unintended third party, it could still qualify for the Safe for Scripting setting. Obviously, this control would not be safe to have on your computer.

11.1.3 Differences Between ActiveX and Java

ActiveX is often thought of as a Microsoft Java clone. It isn't. Without the common goal of being optimized for Internet component downloading, the two platforms don't share much in common. Here are some key differences:

• An ActiveX object is compiled, not interpreted. This means ActiveX programs can run extremely fast compared to Java programs.

• ActiveX controls can be made with many different languages. Java applets can only be made by Java.

• ActiveX controls can do more than Java applets.

• ActiveX doesn't have the platform independence of Java.

• ActiveX controls only work in Microsoft's Internet Explorer browser (or with Netscape's browser with an ActiveX plug-in).

• With ActiveX there is no difference between the security rights given to local or remote programs.

11.1.4 Activating ActiveX

Web developers include an <OBJECT> tag within their HMTL page (see Example 11-1) to automatically download a control to the browser, much as with a Java applet. The ID field defines the name used by any related scripting language that presents the control. The CLASSID is a globally unique identifier used to identify the control (something you'll need to become comfortable with to locate a specific control on your machine) and the CODEBASE contains file identification information (minimum version and location). HEIGHT and WIDTH tell the browser how many pixels tall and wide to make the displayed control. Other custom startup parameters, such as the background color , can be passed to the control as it starts.

Example 11-1. Example HTML page with ActiveX Control

 <HTML> <HEAD> <TITLE> Draw a Square </TITLE> </HEAD> <BODY> Here is a sample square from ActiveX: <OBJECT ID="Sample"CODEBASE="http://www.roger.com/controls/Sample.ocx"  HEIGHT="101" WIDTH="101" CLASSID="clsid:0342D101-2EE9-1BAF-34565634EB71"> <PARAM NAME="Version" VALUE=45445"> <PARAM NAME="ExtentX" VALUE="3001"> <PARAM NAME="ExtentY" VALUE="2445"> </OBJECT> </BODY> </HTML> 

When you surf across a web page with a signed ActiveX control, the browser reviews CLASSID s stored in the registry to see if the control is already installed. If not, the web page's CODEBASE attribute tells the browser where the appropriate control can be found. If the browser still cannot find the control from the location specified by the CODEBASE attribute, it can try contacting one of several servers where signed controls are registered. The servers can be registered at HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CodeBaseSearchPath. Normally, http://activex.microsoft.com/objects/ocget.dll or http://codecs.microsoft.com/isapi/ocget.dll will be stored as default locations. The server then checks a list of all controls and their CLASSID s that have been registered with it and tells the browser where the control can be downloaded. This, of course, is invisible to the end user and happens in seconds.

11.1.4.1 Cabinet archival files

A single ActiveX control can be made up of dozens of files. Besides the OCX executable code, a control might depend on audio, video, and other support files to run. Basic HTML forces each file to be downloaded into a separate connection, wasting time and increasing the chance of error. When Microsoft needed a way to deliver all the necessary control files in one package, they extended an already existing file structure. Cabinet archival files (they have a .CAB extension) started being used by Microsoft in full force with the release of Windows 95. All the files within a cabinet file are first merged together to form one larger file, and then compressed. This results in better compression and faster downloading.

Cabinet files also contain the necessary information needed to install the control, such as .INF files and registry entries. Developers also have the option of including the necessary dependent files within the cabinet container, or having them downloaded as needed. For example, a user might download an ActiveX control that requires Visual Basic 5.0 support files to run. The cabinet file will determine if the appropriate files are already installed, and if not, download them from the developer's web site, or from Microsoft's web site.

Cabinet files are used to package all types of Microsoft program files, not just controls.

Cabinet files can even contain separate executable code used in the initialization and installation process. This last point has been used to form malicious email exploits (covered in Chapter 12). Internet Explorer 3.0 was the first browser to accept cabinet files. Windows uses the ActiveX Setup Install control, C:\%windir%\SYSTEM\INSENG.DLL, to handle unpacking signed cabinet files and executing them. The control is use by Internet Explorer, Outlook, and other ActiveX-compatible programs.