The year 2006 saw the rise of numeroussecurity trends such as attacks against social networks, initiatives byresearchers to sequentially disclose many flaws in Web browsers andoperating system kernels, attacks being used for financial gain, and adramatic increase in the number of vulnerabilities affecting Webapplications. During the last few months of the year, I have noticedanother trend that did not receive much attention. There has been asignificant increase in the vulnerabilities that affect ActiveXcontrols. These vulnerabilities can facilitate an assortment of attacksthat may simply cause the disclosure of sensitive information to anattacker or, in the worst-case scenario, allow them to execute code togain unauthorized access to an affected computer.
During the last few years there has been an increase in the numberof vulnerabilities affecting ActiveX controls shipped by variousvendors. In the year 2001, DeepSight Alert Services reported a singlevulnerability affecting an AcitveX control. This number reached 50during 2006.
Vulnerabilities affecting ActiveX controls over the past 6 years
Interestingly, there has also been a rise in ActiveX vulnerabilitiesduring the last 6 months of 2006, and this trend applies to thequarterly figures as well. The first half of 2006 saw the release of 12vulnerabilities, while in the second half the number jumped to morethan triple that amount to 42. Similarly, during the first quarter of2006, three ActiveX vulnerabilities were reported. This was followed bynine in the second quarter, 13 in the third quarter, and 26 in thefourth.
Vulnerabilities affecting ActiveX controls during 2006
This rise of vulnerabilities in ActiveX controls can be attributedto a variety of reasons. These include an increasing number of vendorsshipping insecure ActiveX controls and the availability of a variety ofsecurity testing tools and ActiveX fuzzers that allow researchers andattackers to rapidly find vulnerabilities with relative ease. The riseof vulnerabilities might also be due to the prospects of findingcritical vulnerabilities that facilitate remote unauthorized access inthe context of the client application.
An article published on SecurityFocusin August 2006 reported a security researcher’s claims of discoveringmore than 100 vulnerabilities in ActiveX controls included with thedefault installation of Microsoft Windows XP. HD Moore, founder of the Metasploitframework, said that these vulnerabilities are likely to be disclosedto the public when fixes are available from the vendor. The researcheralso released a version of the AxMan ActiveX Fuzzerthat was used to find these vulnerabilities. Though the year 2006 saw asignificant increase in the number of vulnerabilities in ActiveXcontrols, this trend will likely continue in 2007 due the availabilityof tools and increased interest in ActiveX security in the community.
It is imperative that users have a basic familiarity with thetechnology behind ActiveX in order to take some precautions to protectthemselves against potential attacks. In my next post I will talk moreabout ActiveX technology and some mitigating strategies that users’ mayemploy to prevent attacks.
To be continued in Part 2...