[Full-Disclosure] Software vendors just don't "get" ActiveX security

From: Richard M. Smith (rms_at_computerbytesman.com)
Date: 07/03/03

  • Next message: Richard Johnson: "Re: [Full-Disclosure] Email marketing company gives out questionable security advice" 
    To: <full-disclosure@lists.netsys.com>
Date: Wed, 2 Jul 2003 23:12:17 -0400

    Hi,

    Software vendors continue to not understand ActiveX security issues. I
    found a number of ActiveX controls on my laptop which are marked "safe
    for scripting", but they are clearly not. These controls contain
    methods which can be used from a Web page to do things like run
    programs, download files from Web sites to the local hard drive, provide
    file system access, etc.

    Here are some of the questionable controls:

    1. TgLib.System from www.support.com. This control plus
       related controls ship preinstalled on Sony laptops.
       These same controls are probably shipped with other
       brands of computers also.

    2. IPWorks.TFTP from www.nsoftware.com. I'm not even
       sure where this control came from. It's a TFTP
       server or client of some sort.

    3. FtpTree control from www.ftpvoyager.com. The control
       is installed with the FTP Voyager software which is
       FTP client for Windows.

    I notified all three vendors many months ago and there are some fixes
    available, but to be honest, I don't remember the details.

    Some background on ActiveX security:

     http://www.computerbytesman.com/acctroj/hp.htm
     http://www.cert.org/reports/activeX_report.pdf
     
    http://www.fawcette.com/archives/premier/mgznarch/vbpj/1997/04apr97/opin
    ion.pdf

    Every Windows computer I've owned since 1998 has come preinstalled with
    ActiveX controls which were mismarked as "safe for scripting". I don't
    see this problem getting solved. There doesn't seem to be any mechanism
    for educating software vendors about ActiveX security. The same
    mistakes are being made over and over again. Perhaps ActiveX security
    is just too difficult.

    Richard M. Smith
    http://www.ComputerBytesMan.com

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Richard Johnson: "Re: [Full-Disclosure] Email marketing company gives out questionable security advice"

    Relevant Pages

    • RE: [Full-Disclosure] Software vendors just dont get ActiveX security
      ... >Software vendors continue to not understand ActiveX security issues. ... >found a number of ActiveX controls on my laptop which are marked "safe ... The biggest problem with this entire class of vulnerabilities is that the ...
      (Full-Disclosure)
    • Software vendors just dont "get" ActiveX security
      ... Software vendors continue to not understand ActiveX security issues. ... found a number of ActiveX controls on my laptop which are marked "safe ... ActiveX controls which were mismarked as "safe for scripting". ...
      (Bugtraq)
    • Re: IE ActiveX Protection
      ... run Microsoft's OLE Viewer to see the true scope of controls on your ... PC), most ActiveX security options are controlled by IE, and IE-related ... All of this is to say that I can still launch many restricted controls ...
      (NT-Bugtraq)
    • IE allows universal Cross Domain Scripting (TL#003)
      ... One of the many elements in HTML 4 is the OBJECT element which is used to ... The object property of embedded WebBrowser controls is not subject to the ... When embedding a document from the same site ... Set "Script ActiveX controls marked safe for scripting" to Prompt or Disable ...
      (Bugtraq)
    • [VulnWatch] IE allows universal Cross Domain Scripting (TL#003)
      ... One of the many elements in HTML 4 is the OBJECT element which is used to ... The object property of embedded WebBrowser controls is not subject to the ... When embedding a document from the same site ... Set "Script ActiveX controls marked safe for scripting" to Prompt or Disable ...
      (VulnWatch)