The ActiveX controls, which automatically download over the Internet, can damage your system. Solution to this problems have polarized Sun Microsystem's Java, and Microsoft's ActiveX. Java attempts to solve this problem by limiting a JavaT applet to access the client computer's file system. ActiveX components, on the other hand, use cryptographic techniques. They required positive identification of the author of the control and verify that it has not been altered since it was last signed.
If user attempts to load a Web page that uses a control not already registered on the user's system, Internet Explorer will automatically install the control. But before it does, the browser checks to see if the control has been digitally signed and it has not been altered since it was last signed [1]. If ActiveX control is not signed, and a user has set safety level to high. The Internet Explorer do not registered the control and the following dialog box appears:
If the security level is set to medium, the following dialog box will appears:
If the user selects "Yes", the control will installed on your system. If the user selects "no", an error will appears in the web page instead of the control.
ActiveX controls and Java applets are designed to make browsing experience more interactive. Based on the Component Object Model (COM), ActiveX controls are written in native program for specific platform like windows. When the user browse a page which contains ActiveX or Java, the browser download the control dynamically. ActiveX controls are native program, therefore, they can do all the things that one local program can do. Like, they can read and write hard drive, execute programs, can perform network administration tasks, can determine system configuration they are running on. The advantage we get from this is that ActiveX can perform powerful tasks. The disadvantage is that, ActiveX controls could also be used to damage the system and cause security problems to the network administrators.
Among many publicized charges put on to ActiveX, "this is the most accurate". [1]. According to Ben Elgin article appeared on ZD Internet Magazine:
"Despite their (ActiveX and Java) ability to add aesthetic and practical value to the Web, the security risks of Java and ActiveX remain the biggest headache among many network managers" [2].The ActiveX control you can automatically download over the Internet can do anything to your system. McAfee Associates has discovered a flaw in Microsoft's ActiveX Architecture and Windows 95. Users using Windows 95, Internet Explorer 3.x and Symantec's Norton Utilities 2.0 for Windows 95 can put their system in danger.
"Users running the combination of Windows 95, Internet Explorer 3.x, and Symantec's Norton Utilities 2.0 for Windows 95, one of the most popular and widely used software utility products for Windows 95, are currently known to be at risk. (In the spirit of disclosure, users should be aware that McAfee Associates and Symantec Corp. are competitors in the utilities and anti-virus software market.)Chaos Computer Club, hacker organization in Hamburg, Germany, claims that with bastardized ActiveX they can interact with other people bank account [2,4]. This was started last year in February, when this elite group of hackers demonstrated on the German television an ActiveX program, which transfer money between bank accounts without needing to enter required password.Neither Verisign's Authenticode (which is built-in to Internet Explorer) or recent IE security patches posted on Microsoft's Web site offer any protection. According to Reston, VA-based research firm PC Data, 143,559 licenses have been issued for Norton Utilities, and 125,825 users have Internet Explorer. The number of users who have actually deployed both at the same time is unknown.
The problem lies in TUNEOCX.OCX, a core component of Norton Utilities' System Genie. When installed, this OCX is marked as scriptable, which allows ActiveX-aware Web page scripts to make use of this ActiveX control. This control supports a "run" option that allows the script to execute any local application, such as the FORMAT or FTP (net-based file transfer) commands." [3]
According to David Folger, program director of workgroup computing strategies for Meta group (Westerport, CT), "A Web user left his or her password in his or her machine's memory was latter picked off by hacker through ActiveX control. The hacker later reuse the password in financial transaction under the original person name [2]".
This indicates how vulnerable systems can be too clever hackers. Even Microsoft own Web site, http://www.microsoft.com/activex/gallery/gallery.htm, has removed many ActiveX controls which where available for public use and replaced by following message:
"If you've visited the gallery before, you'll remember it contained over 100 controls from over 30 companies. Now you'll find only 12 controls from Microsoft. So where have all the controls gone? Well, now that the Internet Explorer 3.0 final release is out, we've asked our partners to digitally sign their controls for safe downloading, and we've temporarily pulled the controls while the code-signing takes place. We'll be adding the controls back in after they've been signed, so please check back!" [5].Steve Chang, CEO of Trend Micro, an antivirus software developer in Taipei, says that Sun Microsystems' Java and Microsoft ActiveX control performs variety of task without the knowledge of the user's. These components, get access to your hard drive, execute useless routines, block RAM, and steal CPU cycles [6].
There are numerous stories about security breaches, which revolve around ActiveX controls and Java applets. The majority of these programs is real innocent and is developed to enhance the web browsing experience. But in same time, there are ActiveX controls out in the market, which can really damage your system. Right now we must shut down any part of ActiveX, if we really want to protect ourselves from the security risks we get through Internet Explorer [2,3]. Microsoft Internet explorer allows you to disable ActiveX controls completely.
Java attempts to solve this problem by limiting a Java applet to access the client computer's file system. ActiveX controls, on the other hand, use cryptographic or authenticode techniques. They required positive identification of the author of the control and verify that it has not been altered since it was last signed [1,3].
Before downloading ActiveX, Internet Explorer first checks Authenticode header. If an Authenticode header is found, Internet explorer will display a following certificate dialog box, displaying information intended to help users decide whether to trust the author of the control.
The new Microsoft Authenticode process requires all ActiveX developers to digitally sign their control. To sign control, you'll need to obtain a digital ID from Certificate Authorities such as VeriSignT and GTE. This digital ID is used to encrypt certificate, which becomes Authenticode header [5].
There are two classes of digital IDs for AuthenticodeT technology.
Class 2 certificates, for individuals who publish software, cost US$20 per year and require that you provide your name, address, e-mail address, date of birth, and Social Security Number. After VeriSign verifies this information, you will be issued a certificate. Class 3 certificates, for commercial software publishers, cost US$400 per year and require a Dun and Bradstreet rating in addition to company name, location, and contacts. [5]
Once you obtain the certificate, use the SIGNCODE program provided with the ActiveX SDK to sign your code. There are details in six Steps to Signing Your Code. Note that you'll have to re-sign code if you modify it (such as to mark it safe for initializing and scripting). Note also that signatures are only checked when the control is first installed-the signature is not checked every time Internet Explorer uses the control.
Once your code is signed, even users whose security setting is high will be able to download, install, and register your controls. But they will only be able to use pages that initialize and script these signed controls if you mark them as safe for initializing and safe for scripting.
If you mark your control as safe for initializing, you are asserting that no matter what values are used to initialize your control, it won't do anything that would damage a user's system or compromise the user's security. If you mark your control as safe for scripting, you are asserting that your control won't do anything to damage a user's system or compromise the user's security regardless of how your control's methods and properties are manipulated by the Web page's script. In other words, it has to accept any method calls and/or property manipulations in any order without doing anything bad.
But the question is, Is now Authenticated control is safe to use? No. Fred McLain, CEO of Apropos, a software engineering company, wrote an ActiveX control to demonstrate how easily one can does bad things with our computer systems even if the control is authenticated. He wrote Exploder ActiveX Control, which formats the hard drive [7].
"Exploder went through the Authenticode process, in which controls are submitted to VeriSign, the Digital-authentication Company that is working with Microsoft. With Authenticode, a software publisher signs its code with a unique digital signature, which confirms to users who published the control and that it hasn't been hacked." [7]
Microsoft admits that Authenticode was not designed to guarantees any safety. It just provides some security measures on the Internet [3]. Internet Explorer provided us configuration options that make us think that we are protected from security threats when we are not.
ActiveX controls that contain methods (i.e., function calls) that write files to disks. These methods can be used by a simple VBscript program to overwrite key system files like AUTOEXEC.BAT, CONFIG.SYS, REG.DAT etc. The damage is done simply by viewing an HTML page that contains the ActiveX control and the malicious VBScript code.
Microsoft Internet Explorer 4.0 will be loaded with five new security features. On June 3, 1997 Microsoft announced that the new version of Internet Explorer will equipped with the new Security Zone, Certificate management, and capabilities-based security features. The new Security Zone would allow users and administrator to divide the World Wide Web into several zones and can set different settings for each zone. The Certificate management would enable users to decide which third party control or other signed control to allow on their Internet [8].
Microsoft has taken steps to secure Internet Explorer. The Microsoft won't release Memphis (the code name for the next version of Windows) until they solve security problem surrounding Internet Explorer and ActiveX. The best solution till then to be careful and turned off ActiveX control completely.
My conclusion is that ActiveX technology is good for sharing code within a single security domain such as an intranet, but is unsuitable for use over the Internet at large. ActiveX can work well within an intranet because local auditing, security policies, and trust relationships already exist within an intranet. Any attempt to download ActiveX on a global scale is open to serious security attacks.
[1]
Coffee, Peter. "Java,
ActiveX Under a Microscope", ZD Internet Magazine, December 30, 1996.
[2]
Elgin, Ben. "Risky
Business-Addressing the security concerns of ActiveX, Java", ZD Internet
Magazine, February 24, 1997.
[3]
Berlin, David. "Norton Utilities,
Internet Explorer Combo Plus Systems in Harms Way", Windows Sources, July 39,
1997.
[4]
Maria Seminero,
"Hackers Claim ActiveX Can be used To Pilfer Online", PC Week, February 3,
1997.
[5]
Richter, Jake. "The ActiveX Intrusion", PC
Graphics Report, August 20, 1996.
[6]
"Kill Macro
Viruses", BYTE, December 1997.
[7]
"Bug of the
Month-Be Careful Out There!", BYTE, November 1996.
