Go Back   TechArena Community > Software > Software Development
Become a Member!
Forgot your username/password?
Tags Active Topics RSS Search Mark Forums Read

Reply
 
Thread Tools Search this Thread
  #1  
Old 07-11-2008
Member
 
Join Date: May 2008
Posts: 130
How bad is ActiveX?

Ok - I've seen the various read alot about ActiveX on the Internet so I know that ActiveX is not run in a sandbox and it has the same level of access as the user. I know that you 'can' disable activeX or you can restrict it to signed controls only (although a signed control can still be malicious) and all these configuraiton options may have a negative effect on the users's Internet browsing experience. But I'm confused to see some reports of flaws in current ActiveX controls - sure the Control can be abused to take over the User's PC but if a malicious website wants to take over a user's PC why don't they use their own ActiveX control? Is it that the majority of companies do not allow ActiveX controls to be downloaded (they must all be installed by IT) Also are there practical limitations to what an activeX control can do? Can it send crafted network packets (such as to exploit the recent MS RPC vulnerability) or has it only got high level access to network commands? Is it relatively simple for an ActiveX control to be written to quietly get the browser to set up a remote control session from an external host or to get the ActiveX control to download files off the network. suggestions are welcome thanks in advance.
Reply With Quote
  #2  
Old 07-11-2008
Member
 
Join Date: Nov 2008
Posts: 90
Re: How bad is ActiveX?

You have just discovered why Firefox has become so popular a recommendation among anyone with any security leaning whatsoever: ActiveX can't be an issue on a browser that doesn't support it. Firefox in a default install doesn't do ACtiveX.Personally, I wouldn't trust ACtiveX security policy in IE any further than I could throw. But I am interested in answers to your question about the relative difficulty of getting ActiveX controls installed without user intervention.

Best Regards,
Reply With Quote
  #3  
Old 07-11-2008
Member
 
Join Date: May 2008
Posts: 181
Re: How bad is ActiveX?

Quote:
Originally Posted by Vigour View Post
You have just discovered why Firefox has become so popular a recommendation among anyone with any security leaning whatsoever: ActiveX can't be an issue on a browser that doesn't support it. Firefox in a default install doesn't do ACtiveX.Personally, I wouldn't trust ACtiveX security policy in IE any further than I could throw. But I am interested in answers to your question about the relative difficulty of getting ActiveX controls installed without user intervention.

Best Regards,
Conversely Firefox has no security for extensions. While the browser itself MAY be secure there is no validation for extensions and there is a potential for things to go awry.
Reply With Quote
  #4  
Old 07-11-2008
Member
 
Join Date: Oct 2008
Posts: 29
Re: How bad is ActiveX?

Quote:
Originally Posted by Joachim View Post
Ok - I've seen the various read alot about ActiveX on the Internet so I know that ActiveX is not run in a sandbox and it has the same level of access as the user. I know that you 'can' disable activeX or you can restrict it to signed controls only (although a signed control can still be malicious) and all these configuraiton options may have a negative effect on the users's Internet browsing experience. But I'm confused to see some reports of flaws in current ActiveX controls - sure the Control can be abused to take over the User's PC but if a malicious website wants to take over a user's PC why don't they use their own ActiveX control? Is it that the majority of companies do not allow ActiveX controls to be downloaded (they must all be installed by IT) Also are there practical limitations to what an activeX control can do? Can it send crafted network packets (such as to exploit the recent MS RPC vulnerability) or has it only got high level access to network commands? Is it relatively simple for an ActiveX control to be written to quietly get the browser to set up a remote control session from an external host or to get the ActiveX control to download files off the network. suggestions are welcome thanks in advance.
Exploiting vulnerabilities in installed ActiveX browser components is just an easy way for criminals to run their code without the user consenting or being aware of it. Why take the risk that a user might decline to install something by making them decide? Of course,they do that as well and people are still socially-engineered to run malware in the form of BHOs (browser helper objects) or ordinary executable files.
Reply With Quote
  #5  
Old 07-11-2008
Member
 
Join Date: Nov 2008
Posts: 333
Re: How bad is ActiveX?

Quote:
Originally Posted by Joachim View Post
Ok - I've seen the various read alot about ActiveX on the Internet so I know that ActiveX is not run in a sandbox and it has the same level of access as the user. I know that you 'can' disable activeX or you can restrict it to signed controls only (although a signed control can still be malicious) and all these configuraiton options may have a negative effect on the users's Internet browsing experience. But I'm confused to see some reports of flaws in current ActiveX controls - sure the Control can be abused to take over the User's PC but if a malicious website wants to take over a user's PC why don't they use their own ActiveX control? Is it that the majority of companies do not allow ActiveX controls to be downloaded (they must all be installed by IT) Also are there practical limitations to what an activeX control can do? Can it send crafted network packets (such as to exploit the recent MS RPC vulnerability) or has it only got high level access to network commands? Is it relatively simple for an ActiveX control to be written to quietly get the browser to set up a remote control session from an external host or to get the ActiveX control to download files off the network. suggestions are welcome thanks in advance.
Because any vaguely sensible security policy would, at a minimum, require user confirmation, before installing them from the internet or untrusted zones (and should probably not allow unsigned ones at all).They can do anything that an ordinary .exe can do, when run by the user of the browser.I don't know the exact rules for Windows, but there are some network operations that require Administrator access on Unix. Note, as you implied an environment where user convenience was more important than security, it may well be that the users do have Administrator rights! Yes. (It is possible that some firewall products may detect this, and that some virus/spyware programs may also sense a risk.)Generally,there is a strong correlation between the ability to produce a "rich user experience" and the high security risks.
Reply With Quote
  #6  
Old 07-11-2008
Member
 
Join Date: May 2008
Posts: 130
Re: How bad is ActiveX?

Quote:
Originally Posted by The Edge View Post
Because any vaguely sensible security policy would, at a minimum, require user confirmation, before installing them from the internet or untrusted zones (and should probably not allow unsigned ones at all).They can do anything that an ordinary .exe can do, when run by the user of the browser.I don't know the exact rules for Windows, but there are some network operations that require Administrator access on Unix. Note, as you implied an environment where user convenience was more important than security, it may well be that the users do have Administrator rights! Yes. (It is possible that some firewall products may detect this, and that some virus/spyware programs may also sense a risk.)Generally,there is a strong correlation between the ability to produce a "rich user experience" and the high security risks.
Agreed - we have that - but if the user has been fooled into thinking that this is a safe website and if they are also being fooled into clicking on a link then they will very likely click through any messages. We also block unsigned activeX but I gather (from messages in the archives) that signing an ActiveX control is no big deal - particualrly if the malefactor has access to stolen credit card details (or other stolen IDs) I guess the answer is to block all ActiveX downloads from the untrusted zone but then we need to keep on top of installing controls manually.
Reply With Quote
Reply

  TechArena Community > Software > Software Development
Tags:



Thread Tools Search this Thread
Search this Thread:

Advanced Search


Similar Threads for: "How bad is ActiveX?"
Thread Thread Starter Forum Replies Last Post
Does there is a need of ActiveX on my system Hymavath Technology & Internet 5 06-02-2011 06:20 AM
What is difference between ActiveX DLL and ActiveX EXE Pratap Gad Software Development 3 08-04-2009 07:36 PM
What is ActiveX and Types of ActiveX Components in VB? REEMAD Software Development 4 27-02-2009 08:19 PM
VB6 ActiveX EXE on Vista Nobleman Software Development 6 13-01-2009 07:11 PM


All times are GMT +5.5. The time now is 09:31 AM.