DATE:  
COMMAND                                            SOURCE: 
                                                   AUTHOR: 
  ActiveX

SYSTEMS AFFECTED

  Systems running ActiveX
  

PROBLEM


    ActiveX  is  an  attractive  technology  that  many  of you may be
    tempted to use  through your Web  browser. This is  fine and dandy
    if you trust every single site on the net that you visit. But,  if
    you're like most of us who  surf blindy from site to site  looking
    for new and exciting things, you just may be asking for trouble.

    ActiveX inherits the permissions of the user logged on locally  to
    the machine the controls run  on. In other words, if  your browser
    supports  ActiveX  and  you  have  this  feature enabled, then the
    control has the same authority you do. If you have  administrative
    rights,  so  do  the  ActiveX  controls  --  which  can be a nasty
    problem.

    There has  been a  great deal  of talk  about how ActiveX controls
    can be written to do  malicious things on the Internet.   However,
    what  has  not  being  recognized  is  that  even standard ActiveX
    controls  can  be  made  to  do  malicious  things  via  HTML  and
    VBScript.   Here  are  two  simple  examples  of  "good"   ActiveX
    controls being made to do "bad" things:

        The computer crashing URL - file:///aux

    If Microsoft's ActiveMovie  control is told  to play a  movie from
    the URL  file:///aux Internet  Explorer will  go into  an infinite
    loop under Windows 95.   Attempting to shutdown Internet  Explorer
    by doing an "End Task" will more often then not crash Windows  95.
    This bug can be exploited by  the "bad guys" to create HTML  pages
    that will crash people's  computers when the pages  are downloaded
    from a web site.

    Even  more  worrisome  are  ActiveX  controls that contain methods
    (i.e., function calls) that write  files to disks.  These  methods
    can be used by a  simple VBscript program to overwrite  key system
    files like AUTOEXEC.BAT, CONFIG.SYS,  REG.DAT etc.  The  damage is
    done simply  by viewing  an HTML  page that  contains the  ActiveX
    control  and  the  malicious  VBScript  code.   I know of at least
    three commercially  available ActiveX  controls that  have methods
    that will save files to disk.   Any of these controls, I  believe,
    can be exploited to  build a disk crash  HTML page.  At  least two
    of these  controls have  valid Authenticode  digital signatures so
    that they can be  automatically downloaded and executed  even with
    the highest security settings in Internet Explorer 3.



EXPLOIT

  

SOLUTION


    Disabled  all  ActiveX  scripts,  controls,  and  plug-ins on your
    browser. Then when you're certain  that a site is safe,  turn them
    on ONLY while  surfing that site  - and turn  them back off  again
    when you're done. Do the same thing for Java and Javascript too.