lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: mattmurphy at kc.rr.com (mattmurphy@...rr.com)
Subject: Software vendors just don't get ActiveX security

>Software vendors continue to not understand ActiveX security issues.  I
>found a number of ActiveX controls on my laptop which are marked "safe
>for scripting", but they are clearly not.  These controls contain
>methods which can be used from a Web page to do things like run
>programs, download files from Web sites to the local hard drive, provide
>file system access, etc.

Yes, several vendors have made errors, and even Microsoft, the inventor of
ActiveX, has had its stumbles:

Unsafe Functions in Office Web Components (OWC)
http://www.microsoft.com/technet/security/bulletin/ms02-044.asp

Outlook View Control Exposes Unsafe Functionality
http://www.microsoft.com/technet/security/bulletin/ms01-038.asp

Unsafe ActiveX Controls Vulnerability in Internet Explorer
http://www.microsoft.com/technet/security/bulletin/ms99-037.asp

The biggest problem with this entire class of vulnerabilities is that the
flaws are often trivial to exploit.  In general, the original design of
ActiveX was poorly done -- it completely omitted any procedure for dealing
with controls containing security vulnerabilities.

IMO, if there were a review process associated with a "Safe for Scripting"
control, these vulnerabilities could be reduced.  At least as far as
Microsoft is concerned, these issues appear to be declining in number. 
MS99-037 fixed an entire list of potentially vulnerable components, and
since then, only two controls that deliberately exposed unsafe
functionality have been found.  Deliberately exposing unsafe functionality
excludes things like buffer overflows, which are purely accidental (we
hope), and go beyond ActiveX into more general security issues.

[snip]

>Every Windows computer I've owned since 1998 has come preinstalled with
>ActiveX controls which were mismarked as "safe for scripting".  I don't
>see this problem getting solved.  There doesn't seem to be any mechanism
>for educating software vendors about ActiveX security.  The same
>mistakes are being made over and over again.  Perhaps ActiveX security
>is just too difficult.

In my opinion, designating "safety" should not rest with a potentially
biased developer.  There should be an external entity for testing code
safety, much as there is for proving the authenticity of code -- although
this has been historically broken.

Unfortunately, ActiveX is much like the rest of internet technology --
security is an after-thought.  I do not see this broader cycle being broken
anytime soon, until technology consumers demand appropriate infrastructure
for dealing with present flaws, as well as potential future vulnerabilities.

--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ