US-CERT: Turn Off ActiveX for Security

Although it's not the first time this branch of the US Dept. of Homeland Security has made this suggestion, its Computer Emergency Response Team this morning is recommending that users disable ActiveX altogether, in the wake of yesterday's discovery of a critical vulnerability caused by a Microsoft scripting library.

The library is installed by way of Visual Studio 2005, so it may only be present in development systems, and may therefore limit the scope of possible victims of an exploit. Microsoft, however, believes such an exploit may be in progress.

Though the library is not in itself an ActiveX control (such as something you'd actually see attached to a Web page), ActiveX was designed to be leveraged as a way Web pages could place remote procedure calls to registered Windows DLLs.

US-CERT also acknowledged this morning that it's aware of the exploit code's having already been published publicly, thus raising the likelihood of attacks in the near term.

For its part, Microsoft has added some new advice for administrators: A conventional phishing scheme may be employed to lure users into the trap of clicking a link within an e-mail message, which the company acknowledges could conceivably bypass rights restrictions. In a way, this may be the closest thing to an admission of ineffectiveness we may see from Microsoft regarding its "zoning" of approved sites.

From the company's advisory: "The Restricted sites zone helps reduce attacks that could try to exploit this vulnerability by preventing Active Scripting from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, they could still be vulnerable to this issue through the Web-based attack scenario."

Outlook 2003 activates the Restricted sites zone for e-mail messages being read through its preview window by default, and a security patch for Outlook 2000 enables this restriction. Windows Server 2003 boosts this restriction's effectiveness with the addition of Enhanced Security Configuration, which adds new lockdowns to browser functionality even when they may reduce user convenience.

But if an Outlook user (or the user of any e-mail client) clicks on a link that opens up a new and never-before-seen page in a Web browser, the source of that page will fall outside the Restricted sites zone. In other words, the zone applies to known sites with security risks, even though attacks -- almost by definition -- come from unknown sites.

As Microsoft advises, the malicious page will gain the rights of the user if the exploit is successful. But if those rights are restricted anyway -- in other words, if browser users are given least privileges -- then the exploit may not be able to cause damage.

Details about the dynamics of the exploit itself remain unavailable, without actually downloading the exploit itself from its public source and trying it out.

One Response to US-CERT: Turn Off ActiveX for Security

© 1998-2024 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.