11.3 ActiveX Security Criticisms

Team-Fly    

 
Malicious Mobile Code: Virus Protection for Windows
By Roger A. Grimes
Slots : 1
Table of Contents
Chapter 11.  Malicious ActiveX Controls

11.3 ActiveX Security Criticisms

ActiveX security, or the lack of security, has more than its fair share of critics .

11.3.1 ActiveX Has No Sandbox

Java experts are quick to point out that ActiveX has no isolating security sandbox to keep controls from causing malicious damage to a computer. They say at least that Java's default security confines applets to a limited set of computer resources. Virtually everything you can do with a programming language can be done with ActiveX, including remote control Trojans, file damage, and buffer overflows. Not so with Java.

11.3.2 Safe for Scripting Vulnerability

As covered earlier, most of ActiveX's known exploits have come when a control was marked safe for scripting or initialization when it should not have been. It is almost impossible to determine whether a control can be exploited or not. Software publishers can take guesses, or hire hackers to try an exploit them. But until the control has been released to millions of users and undergone long- term investigation, the vendor alone cannot guarantee safety. If this is so, then no control should be marked safe for scripting, and thus ActiveX loses a lot of its functionality.

11.3.3 Buffer Overflows

Buffer overflows are particularly bothersome in ActiveX, because in general, it does no parameter checking. A loosely written control, and there are many, can allow a web page script to error out the control and execute malicious code on a user 's system. Several controls on the market today, including the popular Adobe's Acrobat Reader figs/u2122.gif 4.0 , are susceptible. The Acrobat Reader control ( PDF.OCX ) allows users to view .PDF files within a browser, and is available for Internet Explorer versions 3.0 and above. It is such a great, free tool that it is the rare browser that doesn't have it installed, and thus, most browsers are susceptible to buffer overflows. A demonstration exploit that uses Acrobat's control to run the Windows calculator can be viewed at http://securityfocus.com/data/vulnerabilities/exploits/pdfocx.txt. It could have called FORMAT.EXE just as easily.

11.3.4 Users Can't Be Trusted

Critics correctly point out that users can't be trusted. They execute unknown, untrusted code all the time. There is hardly a computer user I know who doesn't execute the latest joke file sent to them from a friend. Even a warning message isn't enough to make most users pay attention. This is the whole reason macro viruses are the number one type of malicious code. As ActiveX becomes more popular, there will be more and more web pages and emails with embedded controls. Most of those will probably not be digitally signed. After the user gets dozens of download warnings without any problems, the user will just start hitting the OK button without really considering the potential consequences.

Most users don't want the responsibility of determining trust. They want to compute and surf the Web. They don't want to learn about malicious mobile code and the intricacies of browser security. Microsoft addresses some of this argument by accepting signed controls, and denying unsigned controls, by default. But even that isn't completely safe. It is not impossible to think that a strongly motivated individual or group could obtain a digital signature and distribute a malicious control. There have been dozens of cases where real companies used unethical code against unsuspecting users to fraudulently steal money, damage computers, or collect personal information.

11.3.5 Authenticity Doesn't Prevent Tampering

A malicious hacker could take a commercial company's legitimate , trusted control, and use it to modify the computer of someone surfing their web page. For example, many computer vendors install remote access support controls, marked safe for scripting, to help technical support provide help to customers. A hacker could utilize this control to remotely control their victim's PC. Microsoft is working on a system where controls can be designed so they can't be borrowed from other web sites, but so far this solution is not in place.

11.3.6 Authenticode Is Only as Strong as Its Private Keys

Public key encryption schemes fail if the private key is compromised. Authenticode makes an individual or company promise to take the appropriate steps to safeguard their private keys. Many critics feel that lax security exists in most companies, and they doubt that private keys are as well guarded as they should be. Remote administration Trojans or email viruses are easily capable of stealing private keys, and one such attack was successfully demonstrated.

Guarding Private Keys

Microsoft's own private keys are stored in a hardware-based crypto box, called the BBN SafeKeyper figs/u2122.gif , and stored in a guarded steel and concrete bunker. The crypto box is designed to destroy itself rather than reveal the keys, if compromised. A variation of the BBN SafeKeyper is used to house nuclear missile launch codes on American submarines.

11.3.7 Weak Revocation

Once a control is accepted and downloaded, it is very hard to revoke. If a trusted control was found to have a significant security hole, there would be no automated way to replace the control or take away its trust. Even if the trusted control's digital certificate is revoked , like in the case of the Exploder control, once the control has been trusted, its right to run cannot be easily taken away. Several other revocation weaknesses exist. By default revocation is not turned on in Internet Explorer. Even when turned on, Internet Explorer only checks a certificate's revocation status during the initial download. Lastly, software authentication certificates issued by VeriSign, used by many leading ActiveX developers, are not checked for revocation ever.

This last point became more significant on March 22, 2001, when Microsoft revealed that VeriSign accidentally gave two Microsoft Corporation digital certificates to unknown persons posing as Microsoft employees on January 29 and 30, 2001. If used inappropriately, these false certificates would allow MMC to appear as Microsoft trusted code. Because VeriSign code-signing certificates cannot be automatically revoked, Microsoft had to release a security update eliminating the vulnerability and warn its customers. This situation underscored a weakness long espoused by critics.

Any digital-signing initiative is exposed to the same risk if a certificate is issued in error.

11.3.8 No Granularity

Another big problem ActiveX has is no granularity. Unlike Java, where you can customize what a specific resources an applet can utilize, ActiveX is an all or nothing proposition. Once you accept the control, it has the same access to your system as you do. If it decides it wants to delete every file on your hard drive there isn't much you can do after you've accepted it. You can't decide to allow a control just access to a certain file, or limit it to a specific computer resource. If you or your browser has access, the control has access.

11.3.9 ActiveX Controls Are Registered to the Machine

When controls are downloaded they are registered to the local machine by default (HKCR or HKLM), meaning that on a shared machine, controls and security holes may exist that the current user knows nothing about.

11.3.10 No Easy Way to See All Controls

Although you can easily view some of the downloaded controls within the browser, there is no easy way to see all ActiveX controls installed on a particular machine. If you don't mind a little hard work, you can search the registry or use Microsoft's OLE Viewer tool. I cover both of these methods later on.

11.3.11 Security in Browser

Lastly, although ActiveX can and does run outside the browser environment, almost all ActiveX security is configured through Internet Explorer.


Team-Fly    
Top


Malicious Mobile Code. Virus Protection for Windows
Malicious Mobile Code: Virus Protection for Windows (OReilly Computer Security)
ISBN: 156592682X
EAN: 2147483647
Year: 2001
Pages: 176

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net