11.6 Removing and Preventing Malicious Active Controls This section discusses several things you can do to remove and minimize the risk from malicious ActiveX controls. These items listed were covered in Chapter 10, and aren't covered in detail here:
The following sections cover further items in more detail. 11.6.1 Run Only Trusted CodeRunning only the code you trust is a significant step in reducing your exposure to malicious mobile code. In the theoretical world of ActiveX, this means only running digitally signed code. With the Internet zone's default security set, this is automatic. At a low setting, you will be prompted if you want to run unsigned code. With any other setting, unsigned code is discarded without any user notification. Unfortunately, trusted and signed code fails the digital certification process all the time. Sometimes it can be something as little as web site name change (which is stored in the certificate), or an expired certificate. Most controls aren't signed at all (see Figure 11-12). They come from legitimate vendors and are safe to use, but for whatever reason, the software programmers didn't go through with the extra effort and money necessary to digitally sign the code. Thus, it is up to the user whether to accept the unauthenticated code, or not. This is ActiveX's biggest weakness. Unless you have the time and are capable enough to examine the source code yourself, you are taking a leap of faith when you accept unsigned code. You should only take the leap for vendors whom you trust. You should rarely trust noncommercial vendors . In environments where security is a must, you shouldn't run unsigned code. Figure 11-12. VeriSign does not have a digital ID on file for this controlNetwork administrators can use the registry or Internet Explorer's Administration Kit (IEAK, briefly covered in Chapter 9), to set a list of approved controls. No other controls can be installed, or executed. Approved controls are stored by their CLASSIDs at HKCR\Software\Policies\Microsoft\windows\CurrentVersion\Internet Settings\Allowed Controls. 11.6.2 Kill Bit SettingAdministrators and users can set a kill bit flag in the registry to make Internet Explorer not load specific controls. In order to do so the control's CLASSID must be known. Then the following registry key must be located or created: HKLM\Software\Microsoft\Internet Explorer\ActiveX Compatability\{CLASSID}. Locate the Compatibility Flag key. By default, it can be several values. Setting it to 400 will instruct Internet Explorer not to load the control. This is a good way for administrators to prevent known controls from running if they've had a problem with them previously. The kill bit only works within Internet Explorer, and thus some controls can bypass the settings. For example, I set the kill bit on Adobe's Acrobat ActiveX control. When I clicked on a .PDF document in Internet Explorer, the control was not launched. However, I downloaded the same .PDF document to my hard drive, and clicked on it in Internet Explorer. Explorer automatically loaded Windows Explorer to handle the local file, which then loaded Acrobat and displayed the .PDF document. This just reenforces one of ActiveX's criticisms about security being handled by the browser. 11.6.3 Examine CertificatesMost of the time, I readily accept signed code without hesitation. But if you suspect a digital ID has been tampered with or you don't fully trust the vendor, carefully inspect the certificate during download. When you download a new, signed control, Internet Explorer will display the control's certificate and prompt you to accept it (unless you've already told it to automatically download all controls from a previously trusted publisher). The Acceptance dialog box contains links to the publisher's certificate. Click on the name of the software publisher to view the author's certificate and then choose Details (see Figure 11-13) to reveal more information. The certificate contains the author's name, the control's name, the CA's name, the certificate's expiration date, and over a dozen other details that attest to the author's identity. Figure 11-13. Certificate detailsYou can save the certificate for later inspection by choosing the Copy to File button in Figure 11-13. This starts Microsoft's Certificate Manager Export wizard . You will be prompted with a couple options, including where to save the file. The file will be encrypted and have a .CER extension. When you click on the saved file with Explorer, it will be opened by Microsoft's CRYPTEXT.DLL application. The certificate will appear in its original form for inspection. It is important to note that if you do not choose the save a copy of the certificate to disk during the initial certificate viewing, it will be difficult to resurrect later.
11.6.4 Configure ActiveX Browser SecurityThere are five security settings related to ActiveX controls under Tools Internet Options Security Custom ActiveX controls and plug-ins:
If your company needs absolute security, disable all ActiveX options. This will require a custom security setting in the appropriate zone. With Internet Explorer 5.x, the default Internet security zone is set to Medium. Medium security disables downloading unsigned controls and disables scripting of controls not marked as safe. Medium security is a good level for most end-user PCs to have, except that I like to have the option of choosing whether to accept or deny unsigned controls. The Internet is full of legitimate unsigned controls, and although I don't necessarily run them, I do like knowing when a particular web page tries to initiate an unsigned control on my system. If I am not warned , then I can't consider the validity of the request. And in some cases, where I have complete trust in the vendor's site, I will accept and run an unsigned control. Table 11-1 is a security matrix showing the relationships between Internet Explorer's different security settings and my custom recommendations. Normal end users without an understanding of ActiveX security and risks should have their security settings set to Medium or High. Table 11-1. Internet Explorer 5.x settings related to ActiveX
Most options are self-explanatory, but some users get confused about the difference between the options controlling downloading and those that control the running of ActiveX controls. If you disable running ActiveX controls and plug-ins, your browser will not run any controls or plug-ins, even if they are already downloaded and trusted. The download security items are only concerned with whether or not to download, and they are not involved in the decision of whether to launch ActiveX controls. If enabled, all ActiveX controls are downloaded to a temporary directory, even before being reviewed for a digital signature. However, if you are want to disable ActiveX controls, make sure to disable the downloading of them as well. If a malicious control was to be placed in the temporary directory, there is a small risk that a hacker could execute the downloaded control via some other method. Figure 11-14 shows the warning Internet Explorer will display when a plug-in or control is attempting to download and security is set to High. Figure 11-14. Internet Explorer warning when a plug-in or control is attempting to download11.6.5 Remove Unnecessary ControlsOver a period of time, any browser will become a repository for unused controls. Most are from one time-visited web sites to which the user will never return. Use Tools Internet Options Settings View Objects to view the controls and applets downloaded and trusted by your browser. You can right-click any object to get more details. The CODEBASE field will often tell you where the control came from. You can remove any objects you are sure you are not using or you don't trust. Although there have been security risks involving installed Microsoft controls, deleting them could produce functionality problems within Windows, Internet Explorer, and certain web pages. You are better off leaving them, unless you need absolute security. In Figure 11-15 example, the NFL.COM control was left installed well after I visited the http://www.nfl.com web site to follow a playoff game. I don't plan to return to the site, so it should be removed. Figure 11-15. Installed controlsTo remove an ActiveX control, right-click the object and choose Remove. Alternately, you can use Start Control Panel Add/Remove Programs. Microsoft prefers if you attempt this method first. It will attempt to remove registry entries and files. You can also delete any .OCX file using Internet Explorer or Find File. As shown in Figure 11-16, you can choose File Properties to see more details on any control to help with your removal decision. Figure 11-16. Properties of a control11.6.5.1 Reappearing controlsSome deleted controls can reappear without warning, if you selected the Always Trust Content From This Vendor option during installation. Since the vendor's certificate is still trusted, if you visit a site containing one of the deleted controls from a trusted vendor, it will automatically download again. In these cases, you would also have to remove the trust given the publisher by choosing Tools Internet Options Content Publishers, and selecting the appropriate trust relationship, and then choosing Remove. 11.6.5.2 Error messages while removing controlsOften, if you try to delete an ActiveX control, you will get an error message preventing removal because the control is in use by Internet Explorer or Active Desktop. If this occurs, close Internet Explorer, disable Active Desktop (if enabled), reboot Windows, and try again. 11.6.5.3 Viewing and removing all controlsThe controls you will see listed in Internet Explorer are just the controls downloaded by the browser and installed in the default downloaded program folder. The list doesn't include ActiveX controls installed by other software and mechanisms. If you want to view and audit all controls, you can search the registry under HKEY_CLASSES_ROOT\CLSID, search for all files with an .OCX extension, or download Microsoft's free OLE Viewer (OLEVIEW.EXE) . For example, Internet Explorer listed 14 ActiveX objects on my test machine. Searching for files with the .OCX extensions, I found 61 controls, most of which were in the C:\Windows\System and under C:\Program Files folders. Using OLE Viewer, I found hundreds of controls, most of which pointed to the previously found .OCX files, although remember that controls can end in any extension. OLE Viewer contains a lot of information and is not for the faint of heart. However, it will reveal the files each controls refers to, their CLASSID's, and what controls are marked Safe for Scripting and initialization. Figure 11-17 shows the OLE Viewer and some of the information you can learn using it. Figure 11-17. Microsoft's OLE ViewerI will not cover all the information you can learn from using OLE Viewer, but it is over two dozens of fields of information on each control, and you can find the GUID of each control type classification, which can be helpful when tracking down controls marked as safe, etc. If you want the quickest way to see all the ActiveX controls installed on a PC, use OLE Viewer and look for the Controls category. If you are looking to see what controls are marked safe for scripting, choose the Controls that are safely scriptable category, although not all scriptable controls are registered here. 11.6.6 View Trust RelationshipsYou can view the trust relationships you have accepted during your browsing experience by choosing Tools Internet Options Content in Internet Explorer 5.x. TheCertificates button will list the certificates your browser trusts. The Publisher button lists (see Figure 11-18) what software vendors your browser trusts. If a name appears here, it means your browser will download and execute code signed by these vendors without prompting you at its default security setting. As shown earlier, even nonmalicious controls have been known to force themselves as trusted publishers. Review your trusted publisher list and remove those you don't need. Figure 11-18. Trusted publisher certificates11.6.7 Change Safe for Scripting FunctionalityActiveX controls can be marked Safe for Scripting and Safe for Initialization by their authors. If your Internet security is set to Low, you will be warned of controls that are not marked safe. There are many controls that are marked as Safe for Scripting that probably should not be. To find out if a particular control that you've already download was marked safe by the publisher, try these steps:
If you've got controls that can modify or read your local file system, you probably don't want those marked as Safe for Scripting. Of course, as always, be sure to back up your registry prior to performing any direct registry manipulation. In Figure 11-19, I searched the registry for Vivo Player's CLASSID to find the two keys that determine if the control has been marked Safe for Scripting and Safe for Initializing. Figure 11-19. Registry search to find if a control has been marked Safe for Scripting and Safe for Initializing11.6.8 Enable Certificate Revocation CheckingYou can tell Internet Explorer 5.0 and above to check a developer's signing certificate against the certificate authority's certificate revocation list prior to accepting the certificate. This lengthens the certificate acceptance process, but increases the degree of reliance on the certificate. You instruct Internet Explorer to check revocation lists by enabling two Tools Internet Options Advanced Security options: Check for publisher's certificate revocation and Check for server certificate revocation. The latter option concerns certificates that cover entire web sites and not signed code. A third option, Warn about invalid site certificates, directs Internet Explorer to check the URL links included in a site certificate, and warns you if a link is invalid.
|
Team-Fly |
Top |