disLEXia

Tuesday, 12. November 1996

Making good ActiveX controls do bad things

There has been a great deal of talk about how ActiveX controls can be written to do malicious things on the Internet. However, what has not being recognized is that even standard ActiveX controls can be made to do malicious things via HTML and VBScript. Here are two simple examples of "good" ActiveX controls being made to do "bad" things:

The computer crashing URL - file:///aux

If Microsoft's ActiveMovie control is told to play a movie from the URL file:///aux Internet Explorer will go into an infinite loop under Windows 95. Attempting to shutdown Internet Explorer by doing an "End Task" will more often then not crash Windows 95. This bug can be exploited by the "bad guys" to create HTML pages that will crash people's computers when the pages are downloaded from a web site.

VBScript and ActiveX combo disk crasher

Even more worrisome are ActiveX controls that contain methods (i.e., function calls) that write files to disks. These methods can be used by a simple VBscript program to overwrite key system files like AUTOEXEC.BAT, CONFIG.SYS, REG.DAT etc. The damage is done simply by viewing an HTML page that contains the ActiveX control and the malicious VBScript code. I know of at least three commercially available ActiveX controls that have methods that will save files to disk. Any of these controls, I believe, can be exploited to build a disk crash HTML page. At least two of these controls have valid Authenticode digital signatures so that they can be automatically downloaded and executed even with the highest security settings in Internet Explorer 3.

The big question in my mind is what can be done about solving these sorts of ActiveX security problems.

Richard Smith ["Richard M. Smith" <rms@pharlap.com> via risks-digest Volume 18, Issue 61]
04:49 | permanent link | mail this

disLEXia, a research project by Maximillian Dornseif