The year 2006 saw the rise of numerous security trends such as attacks against social networks, initiatives by researchers to sequentially disclose many flaws in Web browsers and operating system kernels, attacks being used for financial gain, and a dramatic increase in the number of vulnerabilities affecting Web applications. During the last few months of the year, I have noticed another trend that did not receive much attention. There has been a significant increase in the vulnerabilities that affect ActiveX controls. These vulnerabilities can facilitate an assortment of attacks that may simply cause the disclosure of sensitive information to an attacker or, in the worst-case scenario, allow them to execute code to gain unauthorized access to an affected computer.
During the last few years there has been an increase in the number of vulnerabilities affecting ActiveX controls shipped by various vendors. In the year 2001, DeepSight Alert Services reported a single vulnerability affecting an AcitveX control. This number reached 50 during 2006.
Vulnerabilities affecting ActiveX controls over the past 6 years
Interestingly, there has also been a rise in ActiveX vulnerabilities during the last 6 months of 2006, and this trend applies to the quarterly figures as well. The first half of 2006 saw the release of 12 vulnerabilities, while in the second half the number jumped to more than triple that amount to 42. Similarly, during the first quarter of 2006, three ActiveX vulnerabilities were reported. This was followed by nine in the second quarter, 13 in the third quarter, and 26 in the fourth.
Vulnerabilities affecting ActiveX controls during 2006
This rise of vulnerabilities in ActiveX controls can be attributed to a variety of reasons. These include an increasing number of vendors shipping insecure ActiveX controls and the availability of a variety of security testing tools and ActiveX fuzzers that allow researchers and attackers to rapidly find vulnerabilities with relative ease. The rise of vulnerabilities might also be due to the prospects of finding critical vulnerabilities that facilitate remote unauthorized access in the context of the client application.
An article published on SecurityFocus in August 2006 reported a security researcher’s claims of discovering more than 100 vulnerabilities in ActiveX controls included with the default installation of Microsoft Windows XP. HD Moore, founder of the Metasploit framework, said that these vulnerabilities are likely to be disclosed to the public when fixes are available from the vendor. The researcher also released a version of the AxMan ActiveX Fuzzer that was used to find these vulnerabilities. Though the year 2006 saw a significant increase in the number of vulnerabilities in ActiveX controls, this trend will likely continue in 2007 due the availability of tools and increased interest in ActiveX security in the community.
It is imperative that users have a basic familiarity with the technology behind ActiveX in order to take some precautions to protect themselves against potential attacks. In my next post I will talk more about ActiveX technology and some mitigating strategies that users’ may employ to prevent attacks.
To be continued in Part 2...