Page 309 - StudyBook.pdf
P. 309
Communication Security: Web Based Services • Chapter 5 293
that the author is the one using the control, or that it is being used in the way it
was intended, or on the site or pages for which it was intended. Microsoft also
cannot guarantee that the owner of the site or someone else has not modified the
pages since the control was put in place. It is the exploitation of these vulnerabili-
ties that poses the greatest dangers associated with using ActiveX controls.
Symantec’s Web site reports that the number of ActiveX vulnerabilities over the
last few years have increased dramatically, with those affecting ActiveX controls
shipped by vendors increasing upwards of 300 percent. From 2002 to 2005, there
was a range of 12 to 15 vulnerabilities affecting ActiveX controls found each year,
but in 2006, this number jumped to 50.While it would be nice to think that all of
these are due to inexperienced programmers who aren’t observing best practices in
coding, even Microsoft has shipped a number of vulnerable controls over the years.
The vulnerabilities that have occurred over the years include major issues that
could be exploited by hackers. For example, in 2006, vulnerabilities were found in
Microsoft’s XML Core Services that provided hackers with the ability to run
remote code on affected systems. If a hacker wrote code on a Web page to exploit
this vulnerability, he or she could gain access to a visiting computer.The hacker
would be able to run code remotely on the user’s computer, and have the security
associated with that user. In other words, if the user was logged in as an adminis-
trator to the computer, the hacker could add, delete, and modify files, create new
accounts, and so on.Although a security update was released in October 2006 that
remedied the problem, anyone without the security update applied to his or her
system could still be affected. It just goes to show that every time a door is closed
to a system, a hacker will find a way to kick in a window.
The Dangers of ActiveX
Tools & Traps… control as soon as it was loaded into an ActiveX control embedded on the
Prior to 2006, ActiveX controls could activate on a Web page without any
interaction from the user. For example, a video could play in an ActiveX
Web page. Since then, Web pages can still use the <APPLET>, <EMBED>,
or <OBJECT> tags to load ActiveX controls, but the user interface of the
control will be deactivated until the user clicks on the control. The reason
why Microsoft has suddenly blocked these controls from activating auto-
matically is due to a lawsuit with Eolas involving patented technology
that allowed content like ActiveX controls to load automatically. In 1994,
Microsoft was offered to license the technology, but refused, resulting in
a multimillion-dollar lawsuit for infringement. Because of the infringe-
ment case, Microsoft released a software update in 2006 that requires
Continued
www.syngress.com
