Avast WEBforum

Other => General Topics => Topic started by: FreewheelinFrank on June 28, 2008, 09:27:00 AM

Title: ActiveX revisited
Post by: FreewheelinFrank on June 28, 2008, 09:27:00 AM
Quote
Even though I've always thought that ActiveX controls get a lot of undeserved bad press, it's clear that they are worse in this regard than other types of programs. A badly designed and vulnerable ActiveX control is a welcome mat to hostile software on whatever Web site you are unfortunate enough to visit, and many vendors were downright stupid over the years in their development and deployment of ActiveX controls.

I think this is less of a problem with more recent systems and software, but there's a world of old, bad ActiveX controls out there, and the only practical way to get to them is through Windows Update. Few of them have automatic update facilities, and users are unlikely to check manually. Certainly, if Windows Update doesn't get to those systems then they're a lost cause anyway.

http://www.eweek.com/c/a/Security/Microsoft-Will-Kill-ActiveX-Controls-If-You-Ask/ (http://www.eweek.com/c/a/Security/Microsoft-Will-Kill-ActiveX-Controls-If-You-Ask/)

Quote
ActiveX is a Microsoft creation woven into both IE and the Windows operating system. It was designed to allow Web sites to develop interactive, multimedia-rich pages. However, such powerful features rarely ever come without security trade-offs.

Poorly designed ActiveX controls can be an extremely potent weapon for cyber crooks, since most ActiveX controls distributed with third party software are marked "safe for scripting." This means that they will run when invoked and without requiring the user's permission. As a result, any Web page can use the control and its methods, which in many cases includes the ability to download and execute potentially hostile code.

Not only are ActiveX vulnerabilities frequently targeted by hackers, they are among the most common browser-related vulnerabilities. In its latest Internet Security Threat Report, Symantec documented some 239 new vulnerabilities in Web browser plug-ins. Plug-ins for Adobe Acrobat, Flash, Java, Mozilla Firefox, QuickTime and Windows media player made up 21 percent of those, while the rest were all ActiveX related vulnerabilities.

While it is true that IE7 includes some extra security protections to prevent the automatic downloading of ActiveX controls, IE7 does nothing to prevent the execution or manipulation of ActiveX controls already installed by third-party software programs like Adobe Reader, QuickTime, iTunes, Java, and Flash, to name just a few. In my experience, tons of programs - from printer software to media players and social-networking site plug-ins - install their own ActiveX controls, but most people who have those controls installed would never miss them if they were removed or deactivated.

http://blog.washingtonpost.com/securityfix/2008/06/taming_internet_explorer_brows_1.html#comments (http://blog.washingtonpost.com/securityfix/2008/06/taming_internet_explorer_brows_1.html#comments)

Quote
Taming Internet Explorer Browser Plug-Ins

Security Fix has often lamented the lack of decent point-and-click software tools to help Microsoft Internet Explorer Web browser users kill insecure "ActiveX controls," plug-ins for IE that have traditionally been among the biggest avenues of attack from spyware and adware. That's why I'm pleased to call attention to a free new tool called "AxBan," which helps neuter insecure ActiveX plug-ins installed by some of the most widely used third-party software applications.

(Same source.)
Title: Re: ActiveX revisited
Post by: polonus on June 28, 2008, 09:42:36 PM
Hi FwF,

AxBan 1.5 available

AxBan blocks known bad ActiveX Controls from running on your computer.

The newest version, AxBan 1.5 downloads a current copy of the ActiveX Control list at launch from an XML page. Added copy feature and information screen.

The new version of the tool is available here: http://portal.erratasec.com/axb/AxBan.exe

pol
Title: Re: ActiveX revisited
Post by: Lisandro on June 29, 2008, 11:00:10 PM
AxBan blocks known bad ActiveX Controls from running on your computer.
How does it work?
Title: Re: ActiveX revisited
Post by: polonus on June 29, 2008, 11:51:49 PM
Hi Tech,

It is a very straightforward tool, it lists all your ActiveX entries, and you can set a kill bit for the those that form a threat, these settings are already advised by the tool : http://bp3.blogger.com/_AKhPPf_qofs/SCHHEzDFdbI/AAAAAAAAAVM/MENYO94ONp4/s1600-h/AxBan-full.jpg

ActiveX is dangerous
"After watching Milw0rm and other sites continue to add easy to exploit ActiveX cpntrol PoCs like the HP Update problem, we at Errata decided to add a free ActiveX killbit program. We will be updating it as needed with new CLSIDs on an as needed basis: http://portal.erratasec.com/axb/AxBan.exe
If the vulnerability has been patched, you can unkillbit selected.
The newest added protection against the latest Flash vulnerability:Newest beta: http://portal.erratasec.com/axb/AxBan-beta.exe
http://erratasec.blogspot.com/2008/05/0day-flash-vuln.html
Now there is a patch against this, you can unkillbit this ActiveX.


polonus
Title: Re: ActiveX revisited
Post by: Lisandro on June 30, 2008, 12:46:52 AM
you can set a kill bit for the those that form a threat
How can we separate the good and the bad guys?
Title: Re: ActiveX revisited
Post by: polonus on June 30, 2008, 01:05:09 AM
Hi Tech,

That is already done for you, my friend, from aprox. 237 vulnerable browser-plugins that were found up last year, 210 were INSIDE ActiveX controls, making this to the most dangerous browser plug-in to-day. Early this May Errata Security launched this free tool to block malicious ActiveX controls. Recently version 1.5 of AxBan, having an auto-update feature that downloads a list of the latest malicious ActiveX controls at start-up. There is also a possibility to cut and paste and additional information is also available. The tool is 64KB large. So it only attacks the baddies, and those that are not yet patched by MS.
Active-X was a misconception from the start, and why won't MS admit this fact,

polonus


Title: Re: ActiveX revisited
Post by: Happy-Dude on June 30, 2008, 01:37:21 AM
Winpatrol 2008 (15.0.2008) is able to manipulate ActiveX controls for IE. Never really put it into strong use, though. I don't just casually install anything that crosses my eyes ;) .
Title: Re: ActiveX revisited
Post by: Lisandro on June 30, 2008, 02:13:42 AM
That is already done for you
So, does it need to be run as resident?
Title: Re: ActiveX revisited
Post by: polonus on June 30, 2008, 02:14:35 PM
Hi Tech,

It is completely secure, has to be run occasionally non-resident to be installed (the killbits are set into the registry in an easy way for those that are not that familiar with registry settings), via the program you can unset previous settings (unlock killbits )as easily if there is a reason for it (for instance if MS has patched a certain vulnerable Active-X). The working of the thingie can be compared a bit to the workings of a host file. You work it in a similar way,

pol
Title: Re: ActiveX revisited
Post by: Lisandro on June 30, 2008, 09:35:01 PM
I'm probably stupid... but I can't understand this program (yet).
If it does not need to be resident, when I launch it will shown (block) the infected ActiveX, allowing to delete it? Does it work this way?
Title: Re: ActiveX revisited
Post by: polonus on July 01, 2008, 03:33:40 PM
Hi Tech,

Here you can read how MS establish whether an ActiveX is safe for initialization:
http://blogs.technet.com/swi/archive/2008/02/03/activex-controls.aspx

Why don't you download axban and see for yourself what it does, it is additional security. It downloads a list of potential dangerous ActiveX controls, you can click to set a kill bit in the registry for a vulnerable or potential dangerous ActiveX control, Microsoft looks for the kill bits in the registry before giving the red light, kill bit set means that specific ActiveX control cannot initialize, so you are safe from that particular potential vulnerability. In the case of Microsoft or a third party came up with a patch for the once insecure or potential dangerous ActiveX control (more than 230 potential dangerous controls were found up to now), and there is no non-patched vulnerability anymore so the ActiveX control cannot be longer abused, you can unlock the kill bit you have set before with Axban, and in case of initialization MS gives IE the green light the ActiveX control with the unlocked kill bit set in the registry can be initialized again. I do not think this explanation of what the tool does is so very hard to comprehend? What the program does is that it can help setting the kill bits more easily to make potentially dangerous ActiveX won't be initialized automatically and pose an additional insecurity.

polonus
Title: Re: ActiveX revisited
Post by: Lisandro on July 01, 2008, 03:45:21 PM
Why don't you download axban and see for yourself what it does, it is additional security.
I have done this two days ago...

you can click to set a kill bit in the registry for a vulnerable or potential dangerous ActiveX control
How can I separate or how does it separate and informs you about the dangerous ones?
I can't see any visual separation, of info, or green/red highlights...

In the case of Microsoft or a third party came up with a patch for the once insecure or potential dangerous ActiveX control (more than 230 potential dangerous controls were found up to now), and there is no non-patched vulnerability anymore so the ActiveX control cannot be longer abused
Do you mean that MS has already patched everything and I have nothing to worry about?
So, why do we need AxBan?

What the program does is that it can help setting the kill bits more easily to make potentially dangerous ActiveX won't be initialized automatically and pose an additional insecurity.
I understand it can help, but for a common user, how can we set a different ActiveX to be blocked?
Sorry, I'm stupid in these things...
Title: Re: ActiveX revisited
Post by: polonus on July 01, 2008, 04:07:13 PM
Hi Tech,

You wanna know if you have them aboard, then test it online in IE here:
http://www.computerbytesman.com/acctroj/axcheck.htm

Did you have any?

pol
Title: Re: ActiveX revisited
Post by: Lisandro on July 01, 2008, 05:47:33 PM
Hi Tech,

You wanna know if you have them aboard, then test it online in IE here:
http://www.computerbytesman.com/acctroj/axcheck.htm

Did you have any?

pol
This site wants to install a Suplement (add-on) into Internet Explorer. Should I go ahead? Is it safe?
Title: Re: ActiveX revisited
Post by: polonus on July 01, 2008, 06:40:00 PM
Hi Tech,

Trust no one, and that is the way to go. All DrWeb av link checker, finjan, scandoo give this as 100% clean site. Maybe this is authority enough for you, they officialy linked to the link I gave you: http://www.governmentsecurity.org/forum/?showtopic=597

pol
Title: Re: ActiveX revisited
Post by: Lisandro on July 01, 2008, 08:36:08 PM
Is this? Am I clean so?
Title: Re: ActiveX revisited
Post by: polonus on July 01, 2008, 08:46:18 PM
OK
Title: Re: ActiveX revisited
Post by: Lisandro on July 02, 2008, 05:13:39 AM
OK
Thanks Polonus.