ActiveX File Overwrite/Delete Vulnerabilities - Continued
In a blog article from last year, I discussed the rise in popularity of exploits using ActiveX overwrite/delete vulnerabilities due to their ease of use. Since that time, we have seen over 100 such vulnerabilities.
Microsoft requires developers of ActiveX controls to mark their controls “not safe for scripting” if they can arbitrarily write or delete files. However, developers not realizing the security implications or the full capabilities of their ActiveX control often fail to do so, allowing unauthorized remote users to arbitrarily write files to disk. In some cases, the ActiveX control does not even need to be installed by the user—as was the case with the Access Snapshot Viewer ActiveX Vulnerability.
Recently we’ve seen a sharp rise in these types of vulnerabilities and have discovered them being exploited in the wild as part of an exploit pack. Symantec’s DeepSight honeypots observed the exploit pack attack leverage a number of older ActiveX overwrite/delete vulnerabilities, which had not been previously seen in the wild. The attack contained exploits for ActiveX overwrite/delete vulnerabilities in Microsoft, Yahoo, C6, Macrovision, Zenturi, Clever Internet suite, JetAudio, and other ActiveX controls.
Exploits for these vulnerabilities are detected by IPS (NIS, NAV, N360, SEP, and SCS) products as:
HTTP SnapShot Viewer ActiveX File Download
HTTP EDraw Flowchart ActiveX Overwrite
HTTP Yahoo! Messenger CYFT Ctrl GetFile
HTTP Clever Internet Suite Overwrite
HTTP Zenturi PogramChecker DownloadUrl ActiveX File Overwrite
HTTP Cowon jetAudio ActiveX Dir Trav.
HTTP C6 Messenger ActiveX File Overwrite
HTTP MacroVision FlexNet USWA ActiveX BO
Encoded versions of these exploits are detected by Symantec Browser Protection (NIS 2008, NAV 2008, N360 v2) as:
MSIE MS Snapshot ActiveX File Download
MSIE EDraw Flowchart File Overwrite
MSIE Yahoo! Messenger GetFile Method File Upload
MSIE Clever Internet ActiveX File Overwrite
MSIE Zenturi ProgramChecker ActiveX File Overwrite
MSIE jetAudio JetFlExt ActiveX Insecure Method
MSIE C6 Messenger Suspicious File Download
MSIE InstallShield Macrovision ActiveX BO
Additionally, Symantec antivirus programs will detect this attack as Downloader. Various toolkits provide heavily obfuscated exploits to evade IDS. Symantec customers are protected against these attacks because Symantec products have a built-in Browser Protection feature that defends against obfuscated code attacks using ActiveX, JavaScript, VBScript, and drive-by downloads.
While application security improves and technical difficulty in exploiting memory corruption flaws continues to increase, a number of easier to exploit and more reliable attack vectors still remain. ActiveX overwrite/delete vulnerabilities are very trivial to exploit and that’s why many malicious toolkits contain exploits for these vulnerabilities. Unfortunately we can expect continued discovery and exploitation of these vulnerabilities in the future.
About Security Response Blog
Our security research centers around the world provide unparalleled analysis of and protection from malware, security risks, vulnerabilities, and spam.
Filter by:
Recently on Twitter
- Revamped Fake #Android Market for SMS Fraud http://t.co/mlrosRUH #malware10 Feb 2012
- Is Waledac spam dirtying the Russian 2012 elections? http://t.co/6gWaIyq610 Feb 2012
- Trojan.Activehijack found in the wild using a known #Office #vulnerability. http://t.co/7L8Xszwr09 Feb 2012
- Infostealer.Offsupload uploads 20000+ archives of stolen data to file sharing site http://t.co/5BBG51Go #Trojan08 Feb 2012
- #Android.Bmaster - Botmaster's profits exposed http://t.co/P8jOQP37 #malware08 Feb 2012