RSSActiveX Controls Still Vulnerable After Four Years
By Scott M. Fulton, III | Published September 14, 2006, 5:39 PM
Activity spotted by an eWeek reporter on at least two "gray-hat" vulnerability research sites appears to indicate that an exploit for a weakness in one of Microsoft's Multimedia ActiveX controls discovered last June may still be feasible, even after four years of patches.
The fact that this set of controls, which was last used in Internet Explorer 5.0 and is still installed on many systems, could be so easily exploited to trigger heap overflows, has been a published fact since at least 2003.
Just last June, however, gray-hat firm Xsec found at least one other way to keep exploiting them. The US Department of Homeland Security was apparently notified of the exploit in late August, and released a bulletin last week. That bulletin stated the exploit had been witnessed running in IE 6.0 SP1, though the DHS rated its severity as "low."
The exploit Xsec discovered is frighteningly simple: Unchecked JavaScript code, reportedly running on a Chinese-language version of Windows Server 2003 prior to SP1, can be used to instantiate Microsoft's DirectAnimation library. By passing it a parameter for generating a spline -- a curved path -- using a value that's out-of-bounds for that function, a heap overflow condition is triggered. The original code, published by SecurityFocus, does not contain a payload for deployment after triggering the condition.
A recently published version of this exploit, on Xsec and one other site, essentially re-creates the exploit by enabling curious parties to compile a C-language routine that deploys it via the Windows Command Prompt.
SecurityFocus has catalogued the exploit as Bugtraq ID 19738, and states it knows of no patches released thus far that specifically address the issue. Meanwhile, Internet Security Systems classifies the exploit as "high risk," stating no known remedy existed as of its last update nearly three weeks ago.
This DAXCTLE exploit, for lack of a better name, is merely the latest in a series of recent security troubles for Microsoft that could be considered a "heap overflow" of a different variety.
Although more unpatched exploits from years past are being characterized as "zero-day exploits" for one reason or another, the problem for Microsoft has not been that malicious users are implementing exploits the same day vulnerabilities are discovered. The real issue is that they're successfully continuing to find exploits four years or more after the underlying problems are known.
the thing is microsoft does care look at what they did for the upgrade on xp sp2 they make it quite difficult for someone to accidently install an activex component and gives the user 2 warnings before installing it...we need smarter pc users
Score: 0
|ActiveX has always been a bad idea promoted for the wrong reasons.
Score: 0
|ActiveX will slowly be phased out in the next 5 years anyway... It'll be very tough to have competing products based on ActiveX (even when they are later vers of existing products OBVIOUSLY) - compared to .NET 3+ alternatives. Developers HATE using old tools. It's like working your a** off all day long with a manual drill when you can buy a $40 power drill at Sears...
Score: 0
|This just shows you that microsoft either doesn't know what they are doing. They don't care or they care clueless. What is so difficult when you make billions of dollars per quarter, have the best minds money can buy to just simply secure your software? Put out IE7 already, make it available for all windows platforms even windows 2000, just to help fix this problem. Just goes to show microsoft doesn't give a damn, its the hackers fault, our software is great, don't blame us, really.
Score: 0
|I like ActiveX, come get me.
Score: 0
|1461 days.
Score: 0
|haha, The funny thing is microsoft simply will not ditch active x even though it is the very thing that makes windows and ie such a p.o.s. especially security wise.
yes a lot of things use active x, however java and .net should be alternatives. Firefox is doing great using java and their own web app technology.
Score: 0
|Hilarious you bring up java(client, I assume?). Every java release to date has had system level security priv vulns.
Score: 0
|And even with that in mind, Java still poses far less of a security problem than ActiveX. There's a reason a non-IE browser reduces spyware by 90%.
Score: 0
|yeah, and there is a reason a developer still tries to design things in Flash or ActiveX instead of Java.
In our school, we changed all our programing classes from C/C++ to Java, now two years ago they completely banned Java, and now all our computers are Sun free. If you want to ask why, try making few programs and you'll see. Simple ones are okay, the more complicated it gets, either it's some REALLY HEAVY programing, or it gets heavy as hell for the user
Score: 0
|What do you mean by "Heavy"?
Score: 0
|