11.6 Removing and Preventing Malicious Active Controls

Team-Fly    

 
Malicious Mobile Code: Virus Protection for Windows
By Roger A. Grimes
Slots : 1
Table of Contents
Chapter 11.  Malicious ActiveX Controls

11.6 Removing and Preventing Malicious Active Controls

This section discusses several things you can do to remove and minimize the risk from malicious ActiveX controls. These items listed were covered in Chapter 10, and aren't covered in detail here:

  • Total security: Disable ActiveX, scripting of ActiveX objects, or Internet access

  • Use an antivirus scanner

  • Use latest browser version

  • Apply the latest security patches

  • Avoid malicious sites

  • Be aware of social engineered malicious code.

The following sections cover further items in more detail.

11.6.1 Run Only Trusted Code

Running only the code you trust is a significant step in reducing your exposure to malicious mobile code. In the theoretical world of ActiveX, this means only running digitally signed code. With the Internet zone's default security set, this is automatic. At a low setting, you will be prompted if you want to run unsigned code. With any other setting, unsigned code is discarded without any user notification.

Unfortunately, trusted and signed code fails the digital certification process all the time. Sometimes it can be something as little as web site name change (which is stored in the certificate), or an expired certificate. Most controls aren't signed at all (see Figure 11-12). They come from legitimate vendors and are safe to use, but for whatever reason, the software programmers didn't go through with the extra effort and money necessary to digitally sign the code. Thus, it is up to the user whether to accept the unauthenticated code, or not. This is ActiveX's biggest weakness. Unless you have the time and are capable enough to examine the source code yourself, you are taking a leap of faith when you accept unsigned code. You should only take the leap for vendors whom you trust. You should rarely trust noncommercial vendors . In environments where security is a must, you shouldn't run unsigned code.

Figure 11-12. VeriSign does not have a digital ID on file for this control
figs/mmc_1112.gif

Network administrators can use the registry or Internet Explorer's Administration Kit (IEAK, briefly covered in Chapter 9), to set a list of approved controls. No other controls can be installed, or executed. Approved controls are stored by their CLASSIDs at HKCR\Software\Policies\Microsoft\windows\CurrentVersion\Internet Settings\Allowed Controls.

11.6.2 Kill Bit Setting

Administrators and users can set a kill bit flag in the registry to make Internet Explorer not load specific controls. In order to do so the control's CLASSID must be known. Then the following registry key must be located or created: HKLM\Software\Microsoft\Internet Explorer\ActiveX Compatability\{CLASSID}. Locate the Compatibility Flag key. By default, it can be several values. Setting it to 400 will instruct Internet Explorer not to load the control. This is a good way for administrators to prevent known controls from running if they've had a problem with them previously.

The kill bit only works within Internet Explorer, and thus some controls can bypass the settings. For example, I set the kill bit on Adobe's Acrobat ActiveX control. When I clicked on a .PDF document in Internet Explorer, the control was not launched. However, I downloaded the same .PDF document to my hard drive, and clicked on it in Internet Explorer. Explorer automatically loaded Windows Explorer to handle the local file, which then loaded Acrobat and displayed the .PDF document. This just reenforces one of ActiveX's criticisms about security being handled by the browser.

11.6.3 Examine Certificates

Most of the time, I readily accept signed code without hesitation. But if you suspect a digital ID has been tampered with or you don't fully trust the vendor, carefully inspect the certificate during download. When you download a new, signed control, Internet Explorer will display the control's certificate and prompt you to accept it (unless you've already told it to automatically download all controls from a previously trusted publisher). The Acceptance dialog box contains links to the publisher's certificate. Click on the name of the software publisher to view the author's certificate and then choose Details (see Figure 11-13) to reveal more information. The certificate contains the author's name, the control's name, the CA's name, the certificate's expiration date, and over a dozen other details that attest to the author's identity.

Figure 11-13. Certificate details
figs/mmc_1113.gif

You can save the certificate for later inspection by choosing the Copy to File button in Figure 11-13. This starts Microsoft's Certificate Manager Export wizard . You will be prompted with a couple options, including where to save the file. The file will be encrypted and have a .CER extension. When you click on the saved file with Explorer, it will be opened by Microsoft's CRYPTEXT.DLL application. The certificate will appear in its original form for inspection. It is important to note that if you do not choose the save a copy of the certificate to disk during the initial certificate viewing, it will be difficult to resurrect later.

Microsoft explicitly prevents certificate files from being sent in Outlook with the latest patches installed. This is because they fear a malicious hacker could send a .CER file to a user, who could then unsuspectingly install it (the user would have to be faked into accepting it). Once installed, any program from the malicious hacker would be automatically downloaded and executed.

11.6.4 Configure ActiveX Browser Security

There are five security settings related to ActiveX controls under Tools figs/u2192.gif Internet Options figs/u2192.gif Security figs/u2192.gif Custom figs/u2192.gif ActiveX controls and plug-ins:

  • Download signed ActiveX controls.

  • Download unsigned ActiveX controls.

  • Initialize and script ActiveX controls not marked as safe.

  • Run ActiveX controls and plug-ins.

  • Script ActiveX controls marked safe for scripting.

If your company needs absolute security, disable all ActiveX options. This will require a custom security setting in the appropriate zone. With Internet Explorer 5.x, the default Internet security zone is set to Medium. Medium security disables downloading unsigned controls and disables scripting of controls not marked as safe. Medium security is a good level for most end-user PCs to have, except that I like to have the option of choosing whether to accept or deny unsigned controls. The Internet is full of legitimate unsigned controls, and although I don't necessarily run them, I do like knowing when a particular web page tries to initiate an unsigned control on my system. If I am not warned , then I can't consider the validity of the request. And in some cases, where I have complete trust in the vendor's site, I will accept and run an unsigned control. Table 11-1 is a security matrix showing the relationships between Internet Explorer's different security settings and my custom recommendations. Normal end users without an understanding of ActiveX security and risks should have their security settings set to Medium or High.

Table 11-1. Internet Explorer 5.x settings related to ActiveX

ActiveX security item description

Security settings

High

Medium

Medium Low

Low

My Custom

Download signed ActiveX controls

D [1]

P [1]

P

E [1]

P

Download unsigned ActiveX controls

D

D

D

P

P

Initialize and script ActiveX controls not marked as safe

D

D

D

P

P

Run ActiveX controls and plug-ins

D

E

E

E

E

Script ActiveX controls marked safe for scripting

E

E

E

E

E

[1] D=Disable, E=Enable, P=Prompt.

After coming to grips with the fact that few ActiveX controls can ever be completely safe, Microsoft defaulted Internet Explorer 6.0's Restricted zone with Script ActiveX controls marked safe for scripting disabled.

Most options are self-explanatory, but some users get confused about the difference between the options controlling downloading and those that control the running of ActiveX controls. If you disable running ActiveX controls and plug-ins, your browser will not run any controls or plug-ins, even if they are already downloaded and trusted. The download security items are only concerned with whether or not to download, and they are not involved in the decision of whether to launch ActiveX controls. If enabled, all ActiveX controls are downloaded to a temporary directory, even before being reviewed for a digital signature. However, if you are want to disable ActiveX controls, make sure to disable the downloading of them as well. If a malicious control was to be placed in the temporary directory, there is a small risk that a hacker could execute the downloaded control via some other method. Figure 11-14 shows the warning Internet Explorer will display when a plug-in or control is attempting to download and security is set to High.

Figure 11-14. Internet Explorer warning when a plug-in or control is attempting to download
figs/mmc_1114.gif

11.6.5 Remove Unnecessary Controls

Over a period of time, any browser will become a repository for unused controls. Most are from one time-visited web sites to which the user will never return. Use Tools figs/u2192.gif Internet Options figs/u2192.gif Settings figs/u2192.gif View Objects to view the controls and applets downloaded and trusted by your browser. You can right-click any object to get more details. The CODEBASE field will often tell you where the control came from. You can remove any objects you are sure you are not using or you don't trust. Although there have been security risks involving installed Microsoft controls, deleting them could produce functionality problems within Windows, Internet Explorer, and certain web pages. You are better off leaving them, unless you need absolute security. In Figure 11-15 example, the NFL.COM control was left installed well after I visited the http://www.nfl.com web site to follow a playoff game. I don't plan to return to the site, so it should be removed.

Figure 11-15. Installed controls
figs/mmc_1115.gif

To remove an ActiveX control, right-click the object and choose Remove. Alternately, you can use Start figs/u2192.gif Control Panel figs/u2192.gif Add/Remove Programs. Microsoft prefers if you attempt this method first. It will attempt to remove registry entries and files. You can also delete any .OCX file using Internet Explorer or Find File. As shown in Figure 11-16, you can choose File figs/u2192.gif Properties to see more details on any control to help with your removal decision.

Figure 11-16. Properties of a control
figs/mmc_1116.gif
11.6.5.1 Reappearing controls

Some deleted controls can reappear without warning, if you selected the Always Trust Content From This Vendor option during installation. Since the vendor's certificate is still trusted, if you visit a site containing one of the deleted controls from a trusted vendor, it will automatically download again. In these cases, you would also have to remove the trust given the publisher by choosing Tools figs/u2192.gif Internet Options Content figs/u2192.gif Publishers, and selecting the appropriate trust relationship, and then choosing Remove.

11.6.5.2 Error messages while removing controls

Often, if you try to delete an ActiveX control, you will get an error message preventing removal because the control is in use by Internet Explorer or Active Desktop. If this occurs, close Internet Explorer, disable Active Desktop (if enabled), reboot Windows, and try again.

11.6.5.3 Viewing and removing all controls

The controls you will see listed in Internet Explorer are just the controls downloaded by the browser and installed in the default downloaded program folder. The list doesn't include ActiveX controls installed by other software and mechanisms. If you want to view and audit all controls, you can search the registry under HKEY_CLASSES_ROOT\CLSID, search for all files with an .OCX extension, or download Microsoft's free OLE Viewer figs/u2122.gif (OLEVIEW.EXE) . For example, Internet Explorer listed 14 ActiveX objects on my test machine. Searching for files with the .OCX extensions, I found 61 controls, most of which were in the C:\Windows\System and under C:\Program Files folders.

Using OLE Viewer, I found hundreds of controls, most of which pointed to the previously found .OCX files, although remember that controls can end in any extension. OLE Viewer contains a lot of information and is not for the faint of heart. However, it will reveal the files each controls refers to, their CLASSID's, and what controls are marked Safe for Scripting and initialization. Figure 11-17 shows the OLE Viewer and some of the information you can learn using it.

Figure 11-17. Microsoft's OLE Viewer
figs/mmc_1117.gif

I will not cover all the information you can learn from using OLE Viewer, but it is over two dozens of fields of information on each control, and you can find the GUID of each control type classification, which can be helpful when tracking down controls marked as safe, etc. If you want the quickest way to see all the ActiveX controls installed on a PC, use OLE Viewer and look for the Controls category. If you are looking to see what controls are marked safe for scripting, choose the Controls that are safely scriptable category, although not all scriptable controls are registered here.

11.6.6 View Trust Relationships

You can view the trust relationships you have accepted during your browsing experience by choosing Tools figs/u2192.gif Internet Options figs/u2192.gif Content in Internet Explorer 5.x. TheCertificates button will list the certificates your browser trusts. The Publisher button lists (see Figure 11-18) what software vendors your browser trusts. If a name appears here, it means your browser will download and execute code signed by these vendors without prompting you at its default security setting. As shown earlier, even nonmalicious controls have been known to force themselves as trusted publishers. Review your trusted publisher list and remove those you don't need.

Figure 11-18. Trusted publisher certificates
figs/mmc_1118.gif

11.6.7 Change Safe for Scripting Functionality

ActiveX controls can be marked Safe for Scripting and Safe for Initialization by their authors. If your Internet security is set to Low, you will be warned of controls that are not marked safe. There are many controls that are marked as Safe for Scripting that probably should not be. To find out if a particular control that you've already download was marked safe by the publisher, try these steps:

  1. Locate and record the CLASSID of the control. You can find this by choosing Tools figs/u2192.gif Internet Options figs/u2192.gif Settings figs/u2192.gif View Objects figs/u2192.gif right click on desired object figs/u2192.gif Properties. Record the CLASSID number.

  2. Run REGEDIT to search your registry database.

  3. Go to HKCR\CLSID\classidnumber\Implemented Categories.

  4. The following keys will exist if the control is marked Safe for Scripting: 7DD95801-9882-11CF-9FA9-00AA006C42C4 (Safe for Scripting) and 7DD95802-9882-11CF-9FA9-00AA006C42C4 (Safe for Initialization).

  5. Delete the two keys, and the selected control will no longer be marked safe. It's not pretty, but it works.

If you've got controls that can modify or read your local file system, you probably don't want those marked as Safe for Scripting. Of course, as always, be sure to back up your registry prior to performing any direct registry manipulation. In Figure 11-19, I searched the registry for Vivo Player's CLASSID to find the two keys that determine if the control has been marked Safe for Scripting and Safe for Initializing.

Figure 11-19. Registry search to find if a control has been marked Safe for Scripting and Safe for Initializing
figs/mmc_1119.gif

11.6.8 Enable Certificate Revocation Checking

You can tell Internet Explorer 5.0 and above to check a developer's signing certificate against the certificate authority's certificate revocation list prior to accepting the certificate. This lengthens the certificate acceptance process, but increases the degree of reliance on the certificate. You instruct Internet Explorer to check revocation lists by enabling two Tools figs/u2192.gif Internet Options figs/u2192.gif Advanced figs/u2192.gif Security options: Check for publisher's certificate revocation and Check for server certificate revocation. The latter option concerns certificates that cover entire web sites and not signed code. A third option, Warn about invalid site certificates, directs Internet Explorer to check the URL links included in a site certificate, and warns you if a link is invalid.

Although certificate revocation checking is not completely reliable, it cannot hurt to have it on.


Team-Fly    
Top


Malicious Mobile Code. Virus Protection for Windows
Malicious Mobile Code: Virus Protection for Windows (OReilly Computer Security)
ISBN: 156592682X
EAN: 2147483647
Year: 2001
Pages: 176

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net