Myths and legends: Security ActiveX I (Introduction)
Via: Hispasec
ActiveX is a proprietary technology from Microsoft that over time has been classified in virtually damn safety issue. The many problems in the technology itself and the programs that have used, have earned this reputation pulse. What are the risks and security challenges presented ActiveX really? In reality it is so dangerous? As always, there are no absolute answers and all these issues are quite questionable.
What is it?
In summary, ActiveX is a Microsoft technology. Is a library (basically an executable) with functions like any other, with the peculiarity that implements an interface called IDispatch which allows the "object" to interact in a specific (more
abstract) with the program that hosts (called container). Therefore programs are not "independent" and are often created using any language that supports COM model. "Physically" shaped library DLL or OCX. Internet Explorer and Office programs are containers that support this technology. An ActiveX component is therefore executable code (developed by and for Microsoft) encapsulated in an object developed by those standards. In this way the code to be encapsulated, providing portability and reuse.
It is possible to use an ActiveX object (call their functions) by inserting it into any application that supports it, regardless of the language with which it was created ActiveX control. A common example is used to interact with Internet Explorer and the system calls through JavaScript. A typical example of a call to an ActiveX object through a page is:
<HTML> <Object id = "nombrecualquiera"
classid = "CLSID :012345567-12345-1234-A1234-F1234567789A"> </ object>
<script language="javascript">
nombrecualquiera.FuncionCualquieraDentroDelActiveX (a, b) </ script> </ HTML>
Where there is a unique relationship between the code and the CLSID OCX or DLL file. The scan through the web (no need to install the product) are usually done through a registered ActiveX, slashes up Internet Explorer (such as Yahoo!, Google ...) are registered ActiveX, Setup and Windows Update many that go unnoticed to the user are all registered ActiveX.
But there are also many series of ActiveX installed on Windows to use the operating system that are not at any time to have anything to do with the site or network but use its portability and ability to be reused. Finally, many Web-based programs do not need to interact with other containers register their own ActiveX controls.
Is it like Java applets?
ActiveX, in fact, was part of Microsoft's answer to Java applets, but with significant differences in the forms but with a similar philosophy. Both Java applets as ActiveX are much programs downloaded and executed locally. The creators of the JRE ((Java Runtime Environment, the environment where you run the applets) knew that this would be a risk from the beginning and we are running applets "locked" in a virtual sandbox that prevents access to the code other parts of the system (except to exploit vulnerabilities in JRE to escape the sandbox).
Why can be dangerous?
If we focus on safety, the problem may occur in several ways:
* An ActiveX, unlike an applet contained in the sandbox, have free access to the system with the permissions of the user that you run it. Has the same effect as running a program either.
* In the current model, an ActiveX installed (registered) by an administrator user is available for the rest. Is exposed to all and if it contains a security issue, would affect all users.
* Many of the ActiveX, basically, nothing more than programs that are downloaded and installed Internet Explorer. Therefore, first, inherited risk of downloading software and indiscriminate enforcement of any other program. Can be used to distribute malware as ActiveX is not the case even though the majority.
* But the most important reason for an ActiveX control that can be dangerous is the same as any other program. It is merely a piece of code programmed by a human being and therefore conducive to errors. The basic problem is that a security breach in an ActiveX component "are paying more expensive there than in other applications.
* Pay more expensive because, although it is housed in the system, this DLL or OCX is sometimes accessible through Internet Explorer. The browser, as usual container, you can sometimes call their functions and whether these have a bug, exploit it. For practical purposes, if we have an ActiveX (a DLL, for example) in the system to run any program that has nothing to do with the web pages you visit one might call (invoke) to the DLL and exploit the bug.
Basically, an open door to executables on the hard disk from the Internet. Hence the greatest danger. The mix between design too tolerant (the responsibility of Microsoft) programs vulnerable and poorly designed (the responsibility of the developers
ActiveX) have made the technology is considered unsafe.
But obviously Microsoft has imposed good and important mechanisms to mitigate these risks. The signing of a code, the programming of its own ActiveX where they are told what to do, kill bits, the configuration of the browser ... Many methods have been used to make the ActiveX are not as powerful as its own concept allows, but Sometimes measures have not been sufficient. We will discuss this in the next article.
Author: Sergio de los Santos
