A new type of vulnerability isbecoming more popular these days. It is an arbitrary file overwrite/deletevulnerability that can be exploited by attackers to overwrite or deletearbitrary files on an affected computer. These vulnerabilities existparticularly because of a registered ActiveX control failing torestrict which domains may load the control for execution. An attackexploiting this vuln can lead to arbitrary code execution by a remoteattacker.
Successful exploitation of this vulnerability allows attackers tocreate, or append to, arbitrary files. An attacker can write to a startupfolder to execute arbitrary code during the next reboot or logonsession. A user will not be required to authorize the objectinstantiation since the object is within a signed ActiveX control. Atypical exploitation scenario would require an attacker to convince atargeted user to visit a malicious website.
We have come across approximately 40 issues involving this type ofvuln since May 2007 and still these types of vulnerabilities aregrowing, which hints at a new class of vulnerabilities in the making.Some of the more popular products affected with these vulnerabilitiesinclude VMware, Microsoft Visual Studio, NCTSoft, and HP Photo DigitalImaging. These vulnerabilities are easy to exploit, simply by creating a batch file or malicious .exe file and saving it in avulnerable computer’s root or system directory.
By default, Internet Explorer blocks ActiveX controls that are not marked as safe for scripting, so end usersshould not allow the loading of un-trusted ActiveX controls. Note that Symantec provides protection for the above mentioned type ofvulnerabilities.