296    Chapter 5 • Communication Security: Web Based Services

             installed.This vulnerability also allowed malicious code to exploit a buffer overflow
             effort and allowed the execution of arbitrary code.Although buffer overflows are a
             widespread type of error, the solution is simple: Programmers must take the extra
             time required to do thorough testing and ensure that their code contains proper
             bounds checking on all values that accept variable length input.
                 Another vulnerability occurs when using older, retired versions of ActiveX con-
             trols. Some may have had errors, some not. Some may have been changed com-
             pletely or replaced for some reason.After someone else has a copy of a control, it
             cannot be guaranteed that the current version will be used, especially if it can be
             exploited in some way.Although users will get an error message when they use a
             control that has an expired signature, a lot of people will install it anyway.
             Unfortunately, there is no way to prevent someone from using a control after it has
             been retired from service.After a control that can perform a potentially harmful
             task is signed and released, it becomes fair game for every hacker on the Internet.
             In this case, the best defense is a good offense.Thorough testing before releasing a
             control will save much grief later.


             Lessening the Impact of ActiveX Vulnerabilities
             An ActiveX vulnerability is serious business for network administrators, end users,
             and developers alike. For some, the results of misused or mismanaged ActiveX con-
             trols can be devastating; for others, it is never taken into consideration.There can
             be policies in place that disallow the use of all controls and scripts, but it has to be
             done at the individual machine level, and takes a lot of time and effort to imple-
             ment and maintain.This is especially true in an environment where users are more
             knowledgeable on how to change browser settings. Even when policy application
             can be automated throughout the network, this might not be a feasible solution if
             users need to be able to use some controls and scripts. Other options can limit the
             access of ActiveX controls, such as using firewalls and virus protection software, but
             the effectiveness is limited to the obvious and known.Although complete protec-
             tion from the exploitation of ActiveX vulnerabilities is difficult—if not impos-
             sible—to achieve, users from every level can take steps to help minimize the risk.

             Protection at the Network Level
             For network administrators, the place to start is by addressing the different security
             settings available through the network OS such as.

                  ■   Options such as security zones and SSL protocols to place limits on
                      controls.



          www.syngress.com