294    Chapter 5 • Communication Security: Web Based Services


                users running IE 6, Windows XP SP 2, or Windows Server 2003 SP1 to click
                on ActiveX controls and Java applets to activate them. Other browsers
                have also needed to make similar changes to accommodate the results of
                the lawsuit. At the time of this writing, it is uncertain whether this added
                step will be necessary in future versions of Windows and browser soft-
                ware.
                     As with the legal issues, the security issues involving ActiveX controls
                are very closely related to the inherent properties of ActiveX controls.
                ActiveX controls do not run in a confined space or “sandbox” as Java
                applets do, so they pose much more potential danger to applications.
                Also, ActiveX controls are capable of all operations that a user is capable
                of, so controls can add or delete data and change the properties of
                objects. Even though JavaScript and Java applets seem to have taken the
                Web programming community by storm, many Web sites and Web appli-
                cations still employ ActiveX controls to service users.
                     As evidenced by the constant news flashes about compromised Web
                sites, many developers have not yet mastered the art of securing their
                controls, even though ActiveX is a well-known technology. Even when an
                ActiveX control is written securely, issues involving vulnerabilities in
                ActiveX itself have increased in recent years. This chapter helps identify
                and avert some of the security issues that may arise from using poorly
                coded ActiveX controls (many of which are freely available on the
                Internet), and common vulnerabilities that may be encountered.

             Avoiding Common ActiveX Vulnerabilities

             One of the most common vulnerabilities with ActiveX controls has to do with the
             programmer’s perception, or lack thereof, of the capabilities of the control. Every
             programmer that works for a company or consulting firm and writes a control for
             a legitimate business use wants his controls to be as easy to use as possible. He takes
             into consideration the intended use of the control, and if it seems OK, he marks it
             “safe-for-scripting.” Programmers set the Safe for Scripting flag so their ActiveX
             controls aren’t checked for an Authenticode signature before being run. By
             enabling Safe for Scripting, code checking is bypassed, and the control can be run
             without the user being aware of a problem.As you can see, this is a double-edged
             sword. If it is not marked “safe,” users will be inundated with warnings and mes-
             sages on the potential risk of using a control that is not signed or not marked as
             safe. Depending on the security settings in the browser, they may not be allowed to
             run it at all. However, after it is marked as safe, other applications and controls have
             the ability to execute the control without requesting the user’s approval.You can




          www.syngress.com