Malicious Mobile Code: Virus Protection for Windows By Roger A. Grimes Slots : 1
Table of Contents
Chapter 11. Malicious ActiveX Controls
To date, only a few malicious controls have been reported in the wild, and none are widely spread. However, seemingly innocent controls have been used for attacks, and nearly 50 ActiveX weaknesses have been discovered . ActiveX's biggest problem is the way it incorrectly marks controls Safe for Scripting. Already used in several email worm attacks, these types of holes continue to appear. If Microsoft cannot correctly determine the safety and appropriateness of their own system controls, how can vendors be expected to? Following that problem is the growing use of unsigned code. The digital signing process is technical and expensive. Most ActiveX controls on the Web are unsigned. Many of those that are signed, are expired . I rarely come across a control that is signed and current. If ActiveX's security lives or dies on whether end-users correctly choose to trust or not trust unsigned controls to run, it appears doomed unless digital signing of code becomes widespread. If ActiveX controls become standardized across the world's web sites, as expected, we will surely see a rise in malicious code for ActiveX.