Results 1 to 6 of 6

Thread: How bad is ActiveX?

  1. #1
    Join Date
    May 2008
    Posts
    130

    How bad is ActiveX?

    Ok - I've seen the various read alot about ActiveX on the Internet so I know that ActiveX is not run in a sandbox and it has the same level of access as the user. I know that you 'can' disable activeX or you can restrict it to signed controls only (although a signed control can still be malicious) and all these configuraiton options may have a negative effect on the users's Internet browsing experience. But I'm confused to see some reports of flaws in current ActiveX controls - sure the Control can be abused to take over the User's PC but if a malicious website wants to take over a user's PC why don't they use their own ActiveX control? Is it that the majority of companies do not allow ActiveX controls to be downloaded (they must all be installed by IT) Also are there practical limitations to what an activeX control can do? Can it send crafted network packets (such as to exploit the recent MS RPC vulnerability) or has it only got high level access to network commands? Is it relatively simple for an ActiveX control to be written to quietly get the browser to set up a remote control session from an external host or to get the ActiveX control to download files off the network. suggestions are welcome thanks in advance.

  2. #2
    Join Date
    Nov 2008
    Posts
    90

    Re: How bad is ActiveX?

    You have just discovered why Firefox has become so popular a recommendation among anyone with any security leaning whatsoever: ActiveX can't be an issue on a browser that doesn't support it. Firefox in a default install doesn't do ACtiveX.Personally, I wouldn't trust ACtiveX security policy in IE any further than I could throw. But I am interested in answers to your question about the relative difficulty of getting ActiveX controls installed without user intervention.

    Best Regards,

  3. #3
    Join Date
    May 2008
    Posts
    181

    Re: How bad is ActiveX?

    Quote Originally Posted by Vigour View Post
    You have just discovered why Firefox has become so popular a recommendation among anyone with any security leaning whatsoever: ActiveX can't be an issue on a browser that doesn't support it. Firefox in a default install doesn't do ACtiveX.Personally, I wouldn't trust ACtiveX security policy in IE any further than I could throw. But I am interested in answers to your question about the relative difficulty of getting ActiveX controls installed without user intervention.

    Best Regards,
    Conversely Firefox has no security for extensions. While the browser itself MAY be secure there is no validation for extensions and there is a potential for things to go awry.

  4. #4
    Join Date
    Oct 2008
    Posts
    29

    Re: How bad is ActiveX?

    Quote Originally Posted by Joachim View Post
    Ok - I've seen the various read alot about ActiveX on the Internet so I know that ActiveX is not run in a sandbox and it has the same level of access as the user. I know that you 'can' disable activeX or you can restrict it to signed controls only (although a signed control can still be malicious) and all these configuraiton options may have a negative effect on the users's Internet browsing experience. But I'm confused to see some reports of flaws in current ActiveX controls - sure the Control can be abused to take over the User's PC but if a malicious website wants to take over a user's PC why don't they use their own ActiveX control? Is it that the majority of companies do not allow ActiveX controls to be downloaded (they must all be installed by IT) Also are there practical limitations to what an activeX control can do? Can it send crafted network packets (such as to exploit the recent MS RPC vulnerability) or has it only got high level access to network commands? Is it relatively simple for an ActiveX control to be written to quietly get the browser to set up a remote control session from an external host or to get the ActiveX control to download files off the network. suggestions are welcome thanks in advance.
    Exploiting vulnerabilities in installed ActiveX browser components is just an easy way for criminals to run their code without the user consenting or being aware of it. Why take the risk that a user might decline to install something by making them decide? Of course,they do that as well and people are still socially-engineered to run malware in the form of BHOs (browser helper objects) or ordinary executable files.

  5. #5
    Join Date
    Nov 2008
    Posts
    333

    Re: How bad is ActiveX?

    Quote Originally Posted by Joachim View Post
    Ok - I've seen the various read alot about ActiveX on the Internet so I know that ActiveX is not run in a sandbox and it has the same level of access as the user. I know that you 'can' disable activeX or you can restrict it to signed controls only (although a signed control can still be malicious) and all these configuraiton options may have a negative effect on the users's Internet browsing experience. But I'm confused to see some reports of flaws in current ActiveX controls - sure the Control can be abused to take over the User's PC but if a malicious website wants to take over a user's PC why don't they use their own ActiveX control? Is it that the majority of companies do not allow ActiveX controls to be downloaded (they must all be installed by IT) Also are there practical limitations to what an activeX control can do? Can it send crafted network packets (such as to exploit the recent MS RPC vulnerability) or has it only got high level access to network commands? Is it relatively simple for an ActiveX control to be written to quietly get the browser to set up a remote control session from an external host or to get the ActiveX control to download files off the network. suggestions are welcome thanks in advance.
    Because any vaguely sensible security policy would, at a minimum, require user confirmation, before installing them from the internet or untrusted zones (and should probably not allow unsigned ones at all).They can do anything that an ordinary .exe can do, when run by the user of the browser.I don't know the exact rules for Windows, but there are some network operations that require Administrator access on Unix. Note, as you implied an environment where user convenience was more important than security, it may well be that the users do have Administrator rights! Yes. (It is possible that some firewall products may detect this, and that some virus/spyware programs may also sense a risk.)Generally,there is a strong correlation between the ability to produce a "rich user experience" and the high security risks.

  6. #6
    Join Date
    May 2008
    Posts
    130

    Re: How bad is ActiveX?

    Quote Originally Posted by The Edge View Post
    Because any vaguely sensible security policy would, at a minimum, require user confirmation, before installing them from the internet or untrusted zones (and should probably not allow unsigned ones at all).They can do anything that an ordinary .exe can do, when run by the user of the browser.I don't know the exact rules for Windows, but there are some network operations that require Administrator access on Unix. Note, as you implied an environment where user convenience was more important than security, it may well be that the users do have Administrator rights! Yes. (It is possible that some firewall products may detect this, and that some virus/spyware programs may also sense a risk.)Generally,there is a strong correlation between the ability to produce a "rich user experience" and the high security risks.
    Agreed - we have that - but if the user has been fooled into thinking that this is a safe website and if they are also being fooled into clicking on a link then they will very likely click through any messages. We also block unsigned activeX but I gather (from messages in the archives) that signing an ActiveX control is no big deal - particualrly if the malefactor has access to stolen credit card details (or other stolen IDs) I guess the answer is to block all ActiveX downloads from the untrusted zone but then we need to keep on top of installing controls manually.

Similar Threads

  1. Does there is a need of ActiveX on my system
    By Hymavath in forum Technology & Internet
    Replies: 5
    Last Post: 06-02-2011, 06:20 AM
  2. What is difference between ActiveX DLL and ActiveX EXE
    By Pratap Gad in forum Software Development
    Replies: 3
    Last Post: 08-04-2009, 07:36 PM
  3. What is ActiveX and Types of ActiveX Components in VB?
    By REEMAD in forum Software Development
    Replies: 4
    Last Post: 27-02-2009, 08:19 PM
  4. VB6 ActiveX EXE on Vista
    By Nobleman in forum Software Development
    Replies: 6
    Last Post: 13-01-2009, 07:11 PM

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Page generated in 1,711,622,620.05826 seconds with 16 queries