Question about ActiveX

Discussion in 'other security issues & news' started by Rasheed187, Jul 25, 2004.

Thread Status:
Not open for further replies.
  1. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,055
    Location:
    The Netherlands
    What I still don't get about this technology is the following:

    Let's say you have disabled activeX and you go to a site which uses Flash, so you will now have to enable it. But how will you know that the site will only load the Flash control and not some malicious control on your system?
     
  2. Pigman

    Pigman Registered Member

    Joined:
    May 15, 2004
    Posts:
    381
    Flash doesn't need ActiveX to work. It works very well on browsers like Firefox, which totally lack ActiveX.
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,055
    Location:
    The Netherlands
    I know, I was talking about IE, anyone with an answer? Because the most logical thing for me would be to give each activeX control that has been created a PIN, so if someone tries to load a control that doesn't have the permission to be loaded, it will just not load.

    I mean now it's an "all or nothing" approach, you either disable or enable controls. Currently I have disabled activeX, so if I need Flash or IPIX etc, I will have to enable it, but how will I know which controls they (the website) will load? I don't get it, didn't MS think about this stuff?
     
  4. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Hey Rasheed,

    When you say disabled ActiveX....which setting have you disabled ?
    If a ActiveX control\plugin....such as Macromedia Flash has already been installed....you then need to adjust your ActiveX controls and plugin setting....in particular Run ActiveX controls and plug-ins

    @ Pigman
    "Flash doesn't need ActiveX to work. It works very well on browsers like Firefox, which totally lack ActiveX."

    Which has what to do with Rasheeds question ?
     
  5. Alec

    Alec Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    355
    Location:
    Dallas, TX
    ActiveX controls are compiled executables that run with all of the privileges that the current user has. Basically, I would agree that Microsoft should have put a little more thought into the use of ActiveX controls from programs like IE, how they are authenticated, and how they are restricted. However, the problem is that most people actually kind of like the power and functionality that can be provided by ActiveX controls (eg, Windows Update, online AV scanners, corporate DB frontends, Macromedia Flash, etc.). Yes, some of this functionality can be duplicated or replicated with plugins compliant with the Netscape plugin API... but not all of it (and, contrary to what some would have you believe, the Netscape plugin API has certain security issues as well, albeit generally not as severe).

    ActiveX/COM controls actually do sort of have a "PIN" number, although it is called a CLSID (or Class ID). The CLSID is unique to each ActiveX control. Each ActiveX control can be either signed or unsigned (search for info on Microsoft Authenticode). Moreover, each control be flagged as either "safe" for scripting or not. None of this is absolutely determinative of whether a specific control is malicious or not, though.

    Signed code just means that at least some effort went into verifying the identity of the publisher of the code, and in verifying that it hasn't been tampered with since being signed by said publisher. But signing alone isn't a guarantee that the code is absolutely harmless. The signer could "fake out" or "spoof" a trusted authority. Signed code from a trusted source could have it's own vulnerabilities and possibly be repurposed for a malicious cause. Still, signed code does provide at least some additional measure of security.

    The idea behind the "safe" for scripting designation is that some code could be safe in the hands of an actual user, but may not be so in the hands of anonymous, automatic scripting mechanisms. For example, Microsoft Word can create, modify, and delete files... although generally this is acceptable for an individual user... but could be dangerous if used by anonymous scripting mechanisms. The scripts could potentially force Microsoft Word to delete or change valid files. In such a case, this code would not be marked as "safe" for scripting.

    So the short answer is that a new ActiveX control would have to be downloaded in order for it to run. The downloading and execution of such code is dependent upon the security settings of IE. The settings can be configured to either allow, deny, or prompt on signed code, on unsigned code, and/or "unsafe" code. Surely you have seen the 'Click OK if you trust this source' type of dialog box messages that signed code generates. You should probably just totally disable the execution of unsigned code. Moreover, you should not generally browse the web from the Administrator account, but rather use a regular "user" account for all your day-to-day activities.

    Further there is such a thing as a "kill" bit in Internet Explorer. The kill bit will prevent IE from ever loading and executing certain ActiveX controls identified by their CLSID. So if you happen to know the CLSID for a certain piece of malware then you can just set the "kill" bit for that CLSID in the registry options for IE. I believe this is how programs like SpywareBlaster work. They compile a huge list of malware CLSID's and then set the kill bit for all of them. While they are at it they put a bunch of known bad web URL's in the "restricted" sites zone for IE.

    HTH...
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,055
    Location:
    The Netherlands
    Thanks for the feedback, I've read a few articles, but this one was the best yet, you should write for a magazine or something. ;)

    I do think MS should have thought about this technology a little longer, because it's obvious that this isn't a good approach I think. I do use spywareblaster btw, so that will hopefully save me from malicous controls (if i go to a bad website).

    @ Bubba

    With Maxthon you can enable and disable activeX with on click, of course you've got to configure IE in the most secure way, see the screenshots. :)

    Edit: I have changed one of the screenshots, now with the correct configuration. ;)

    http://img45.exs.cx/img45/6072/ScreenShot073.gifhttp://img52.exs.cx/img52/2064/ScreenShot069.gif
     
    Last edited: Jul 30, 2004
  7. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Good thread :) Nice write up from Alec ;)

    Rasheed, the only thing I would change in your Security IE settings would be to have "Prompt" as the option instead of enable, for Signed ActiveX dl's.

    That way, you have *total* control over them, plus even if they come from MS, I **never** check the 'always trust from this site......' box on them when downloading.

    Prompting does not mean you get a stack you have to then say yes or no to, as in how many times do you have to dl an ActiveX. Once Wu/Macromedia/Flash are done, probably only Online AV scanners require you to legitmately dl one.

    Cheers, TAS
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,055
    Location:
    The Netherlands
    Wait a minute, I'm a bit confused, I might have overlooked something: :doubt:

    If an activeX control (from a website) wants to become "active", the control has to be installed on your system first, right? So the Flash/IPIX control (or any other control) can only load if the control has been already installed on your system (otherwise you would get to see a prompt "do you want to install this activeX control?"), correct?

    If this is the case I might as well turn activeX on again, because I thought that as soon as you had enabled activeX, any control could be installed/loaded from a website in realtime, without even asking if it may do so or not. But this of course depends on your security settings, for some reason I forgot that.
    So I wonder, why do I need to use an app like SpywareBlaster? Because as far as I know I only have controls for Shockwave/Flash, IPIX, Windows Media, Quicktime and Adobe Acrobat on my system, so why do I need to worry? If some other control wants to load I just cancel the download, right? o_O

    @ Tassie Devils, you're correct, normally I have set it to prompt me, but I was testing Sleipnir (another IE shell) that has the ability to disable activeX control downloading on it's own, just like Maxthon can disable activeX controls from executing, eventhough activeX is enabled in IE. :)
     
    Last edited: Jul 28, 2004
  9. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Hopefully this does not become complicated in an explanation but let's assume for a moment you do not have ANY ActiveX objects\plugins loaded....whether they be Malware(SpywareBlasters ActiveX protection....Comet Cursor, Xupiter toolbar, IEplugin....etc) or legitimate objects....(Shockwave/Flash, IPIX, Windows Media....etc). Let's also assume for a moment that you have the Internet Zone Security settings at prompt for three of the items that can play a part in this action....1)Run ActiveX controls and plug-ins.... 2 & 3) Download signed(Windows Media) or unsigned(Comet Cursor)ActiveX controls and plug-ins.

    Let's assume also that a site we are visiting has a shockwave file(swf) to load as part of it's HTML code(remembering we have Prompt set). The first thing that happens is a Security warning popup concerning....Run ActiveX controls and plug-ins. We are prompted and we answer Yes. Then a Security warning box popup concerning....Download signed ActiveX controls and plug-ins. We also say yes. The ActiveX object is then donwloaded, installed and commences to play the shockwave file.

    Simple scenario BUT if we enable any of the ActiveX settings mentioned above....all bets are off.

    This is a good topic and hopefully others will wish to add to my above simple explanation. While it has been mentioned here and other places that one can simply use another browser....Let's bypass that and Please continue this on-topic discussion without alternate browser suggestions. Many users are capable of securing IE if they will simply learn more about the actual settings and any if not ALL the vulnerabilities can simply be stopped by learning about Active script and or ActiveX components\plugins.
     
  10. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Precisely. "Running" does not mean "INSTALL"... that's a separate issue..
    It means to actually 'run any ALREADY installed'.

    You will still get a prompt to DOWNLOAD one [if set to that] so any ActiveX controls on our system is totally controlled by you, no "drive-bys" unless you check "enable" to the LOT of them ~ big trouble ~.

    Bubba summed it up nicely. :)

    TAS
     

    Attached Files:

  11. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Wandering only a little off-topic, the IE-committed ;) may wish to consider a product that runs ActiveX in a sandboxed environment. Finjan SurfinGuardPro is one such product and can protect against a number of known ActiveX exploits. However disabling ActiveX completely is still likely to be safer, and cheaper. :)
     
  12. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,055
    Location:
    The Netherlands
    So SpywareBlaster is basicly for people who are downloading all kind of controls right? I wonder why people are making so a fuzz about it? Yes, activeX controls can be very dangerous because they don't run in a sandbox, but it's your job not to download untrusted controls in the first place. :)

    But to sum it up, a site can never execute a control that isn't installed on your system, so if you go to a site that you know Flash is on, you enable activeX and the site can only load Flash on your system.
    @Paranoid2000, you are not going to tell me that people can also bypass this (what I mentioned above), otherwise I give up. :(

    And btw, I still have disabled ActiveX because I don't want to see Flash all the time. When I need it I turn it on with one click (you can only do this with IE shells). ;)

    I have also updated my screenshot (of configuring IE's security, I misconfigured the most important setting!) I don't want people to make that mistake! But Tassie Devils, I see you have enabled "script ActiveX controls marked safe for scripting", are there any side effects when you disable this one?
     
  13. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    The side effect....as you refer to it....is that the ActiveX control referrenced in a script would not run.

    Question---> Do you understand what script code contained inside of HTML is ?

    **1 important point from that setting.**

    ActiveX controls marked safe

    Below are a couple links that might help shed some light on your above question.

    Designing Secure ActiveX Controls

    Safety Settings for ActiveX Components
     
    Last edited: Jul 30, 2004
  14. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    If u disable activeX completely, i'm afraid some websites may not work properly at all.
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,055
    Location:
    The Netherlands
    Yes, you're right Nadirah, if a website requires a control, you will notice it, but like I said before, I for example don't like to see Flash all of the time so I have disabled it, but if you don't mind you might as well enable activeX and be careful in which comtrols you load. ;)

    @ Bubba, the reason why I asked is because I have disabled it at the moment, but I ain't seeing any problems because of it, all my installed controls are working normally. Thanks for the links I will check them out. :)

    But isn't it strange that IE doesn't give you any feedback about which controls you have installed? With Netscape you could type "about:plugins" and it would show all installed plugins. Especially with ActiveX it would be very handy. I did find a folder in C:\WINDOWS\OCCache, and all my controls seem to be in there. Another app that might come in handy is MimeView (see link). And I have updated the screenshot in my other post, Imageshack was down.

    http://freehost14.websamba.com:8888/nirsoft/utils/mimeview.html
     
  16. Tryintolearn

    Tryintolearn Registered Member

    Joined:
    Jul 30, 2004
    Posts:
    2
    Location:
    Florida
    I recently bought a new computer. I was living in Win98.... can you believe it!!! LOL I use this machine for work and would be in deep trouble if something happened to it, I do not have a back up! :'(

    I have not spent too much time on the net and previously worked in an enviroment with IT Pros so I never really had to do things myself. I have found this forum very helpful but I am still unsure how to set up my system for my boys to safely play games on sites like Cartoon Network, Nick, etc. I've downloaded spybot and run Norton (which I update daily!!) My boys are very young and for now they know if a window pops up to find me immediately. A good number of games require one to download something to play the games. I am quite concerned about how unsecure this could be but I do want the boys to be able to learn about the net and how to be safe.

    Any suggestions? There many good suggestions below just not too sure which one would be best for our situation.
     
  17. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Oh but they do :)

    IE....Tools\Internet Options\General tab....in the Temporary Internet files section....select Settings....then select View Objects
     
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,055
    Location:
    The Netherlands
    Lol, forgot about that one, but look where they put it, just like it isn't really that important. There should have been a big button with "Installed ActiveX Controls" on the options window IMHO. ;)

    @Tryintolearn, I'm not sure if you are in the right thread, but I think you probably need Shockwave/Flash for the sites that you mentioned. The best thing is to disable activeX control downloads (in "internet options - security", see pics) after you have downloaded all the needed controls. :)
     
  19. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
    Welcome to the forums Tryintolearn . Go ahead and post a new thread in the "Privacy General" section, should get some friendly and knowledgeable advice addressing your concerns over there. ;)
     
  20. Tryintolearn

    Tryintolearn Registered Member

    Joined:
    Jul 30, 2004
    Posts:
    2
    Location:
    Florida
    Thanks for the response, I'm fumbling my way through! :oops:
     
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,055
    Location:
    The Netherlands
    But what I totally forgot about was the "in your face" activex controls, the ones that try to install themselves by bombarding you with dialogboxes, I guess that's what SpywareBlaster is trying to stop.

    This has also been improved in XP SP2, and for example Maxthon and PopUpCop (see screenshot) also have ActiveX blockers. But my question is why do we need additional activeX blockers, why wasn't the "disable ActiveX controls" setting in Internet options enough? o_O


    http://img213.exs.cx/img213/8575/screenshot0114qc.png
     
  22. fggdf

    fggdf Guest

    Hmm seems to me there is little point of using another piece of software to pop up a warning, since you might as well let IE do it.
     
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,055
    Location:
    The Netherlands
    Yes I know Spanner intheWorks, but I'm just trying to understand what the difference is between ActiveX Controls like Flash, IPIX (legitimate controls) and other malicious controls that try to load on your system wit those "you must click yes to continue" boxes. Even if you have disabled ActiveX controls from loading you will still get to see these dialogboxes. :mad:

    I mean it's kind of strange that the malicious controls were so hard to stop, and a while ago there weren't even specialized ActiveX controls blockers on the market. What took MS so long to fix this. o_O
     
Loading...
Thread Status:
Not open for further replies.