[3589] in WWW Security List Archive
(fwd) Making good ActiveX controls do bad things
daemon@ATHENA.MIT.EDU (Prentiss Riddle)
Tue Nov 19 17:58:33 1996
From: Prentiss Riddle <riddle@is.rice.edu>
To: www-security@ns2.rutgers.edu
Date: Tue, 19 Nov 1996 09:36:19 -0600 (CST)
Errors-To: owner-www-security@ns2.rutgers.edu
Forwarded from RISKS Digest 18.61:
| Date: Mon, 11 Nov 1996 23:49:03 -0500
| From: "Richard M. Smith" <rms@pharlap.com>
| Subject: Making good ActiveX controls do bad things
|
| There has been a great deal of talk about how ActiveX controls can be
| written to do malicious things on the Internet. However, what has not being
| recognized is that even standard ActiveX controls can be made to do
| malicious things via HTML and VBScript. Here are two simple examples of
| "good" ActiveX controls being made to do "bad" things:
|
| The computer crashing URL - file:///aux
|
| If Microsoft's ActiveMovie control is told to play a movie from the
| URL file:///aux Internet Explorer will go into an infinite loop under
| Windows 95. Attempting to shutdown Internet Explorer by doing an "End
| Task" will more often then not crash Windows 95. This bug can be
| exploited by the "bad guys" to create HTML pages that will crash
| people's computers when the pages are downloaded from a web site.
|
|
| VBScript and ActiveX combo disk crasher
|
| Even more worrisome are ActiveX controls that contain methods (i.e.,
| function calls) that write files to disks. These methods can be used
| by a simple VBscript program to overwrite key system files like
| AUTOEXEC.BAT, CONFIG.SYS, REG.DAT etc. The damage is done simply by
| viewing an HTML page that contains the ActiveX control and the
| malicious VBScript code. I know of at least three commercially
| available ActiveX controls that have methods that will save files to
| disk. Any of these controls, I believe, can be exploited to build a
| disk crash HTML page. At least two of these controls have valid
| Authenticode digital signatures so that they can be automatically
| downloaded and executed even with the highest security settings in
| Internet Explorer 3.
|
| The big question in my mind is what can be done about solving these sorts of
| ActiveX security problems.
|
| Richard Smith
