Read an Excerpt
Chapter 11: Malicious ActiveX Controls
ActiveX is considered by many to be Microsoft's answer to Sun's Java language, but it is much more than that. Chapter 11 discusses ActiveX, digital signing, and Microsoft's Authenticode security program.
Unlike Java, there isn't an ActiveX programming language. Instead, ActiveX is a Microsoft platform initiative grouping software development tools that allow Windows programs to work across networks. Initially code-named "Sweeper", the ActiveX architecture was formally announced at a San Francisco Developer's Conference in early 1996, as Microsoft's way to address the booming Internet programming market. At that conference, a slew of new tools were announced in support of ActiveX, including- VBScript, the OLE Scripting Service, new APIs, Microsoft-developed Internet protocols, and ActiveX controls. Microsoft released these new tools as part of its ActiveX Software Development Kit (SDK). ActiveX is an extension of Microsoft's 32-bit Windows API and Component Object Model (COM) models, and is now covered under the umbrella of the Distributed COM (DCOM) architecture. DCOM encompasses all programming tools that allow a Windows client to use a server program over a network. This distributed programming architecture is eventually culminating in Microsoft's .NET initiative (covered in Chapter 15).
Although began as a reactionary response to competitive pressures, ActiveX is really just a natural evolution of Microsoft API's allowing data to be shared between applications. Microsoft's Object Linking and Embedding (OLE) technology allows users to place data objects from one application into another, something DOS couldn't do. The first versions of OLE allowed users to copy data objects from one program to another. For example, a graphic chart could be copied from a spreadsheet into a word processor. The next phase of OLE allowed a linked object to "live" in another application. Now, a user could edit a chart in a word processor, and with an OLE link to a spreadsheet have the changes made in one automatically reflected in the other. ActiveX extends the functionality and allows, not just the data, but the entire application to be shared across the Internet.
Today, you can save a spreadsheet or document directly to the Web, or allow multiple users flung far across the Internet to make changes to a document you created. Objects, pictures, even sound files, can be linked from their distributed locations onto one page. ActiveX includes all the tools and methods to allow programmers to distribute their applications across the web into user's desktops.
TIP: ActiveX programs can be installed, used, and executed by hundreds of applications, including Microsoft's Outlook, Outlook Express, and Office product lines. Throughout this chapter, I will be discussing ActiveX as it runs within a browser, even when I often mean to include other applications within the context of the discussion.
An ActiveX control is an executable program that can be automatically delivered over the Internet where it usually runs within a browser. Contrasted against Java applets which are created in their own special language, ActiveX controls can be written in many different languages, including: C++, Visual Basic, Visual C++, Delphi, Powersoft, Java, C-Sharp (C#) and Visual J++. And because ActiveX controls are based on the OLE specification, controls written in one language can be re-used within controls written in another language. ActiveX controls are compiled into fast 32-bit machine language for Windows platforms. This means they can run only on systems that work with the WIN32 API and lose the portability advantaged gained by Java.
Since ActiveX controls are compiled programs originating from a variety of programming languages, they aren't limited to a basic set of routines. Besides being able to jazz up web pages and build sophisticated user forms, ActiveX controls can be any program they want to be. Complete spreadsheet and database programs are no problem. Local disk systems can be manipulated, connections can be established to other computers and networks, files transferred, and all invisible to the user. It is this feature-rich, openness that worries security experts. Every type of malicious code exploit that can be attempted with viruses, worms, and trojans, can be accomplished with ActiveX.
When you accept a control for the first time, the control is downloaded to your computer and the appropriate registry entries are created. Controls are registered in the
HKEY_CLASSES_ROOT\CLSID subkey, and can also be found in
HKEY_LM\Software\Classes. ActiveX controls usually have the file extension, .OCX, which stands for OLE Control. The typical Windows system has dozens of controls installed. Most are located in C:\%windir%\SYSTEM and C:\%windir%\Program Files\Common Files\Microsoft Shared, if you have MS-Office installed. Controls downloaded and installed by Internet Explorer are usually located at C:\%windir%\Download Program Files.
TIP: Files in C:\%windir%\Download Program Files are specifically concealed by the newer versions of Windows and will not show up with a File Find or DIR command. But you can use Windows Explorer or the DOS Change Directory and find the hidden subdirectory.
TIP: Internet Explorer 3.x stores ActiveX controls in C:\%windir%\OCCACHE.
Safe for scripting and initializing
ActiveX controls can be defined as Safe for Scripting and Safe for Initialization by the software publisher. By designating the control as safe, the vendor is saying that the control cannot be used maliciously and is safe to be manipulated by other scripting languages. Safe for Initialization means that no matter what values are passed to the control during its startup, it cannot do damage to a user's system. Safe for Scripting means that the control cannot be used maliciously no matter how its manipulated. Although each control has two safety settings, most of the popular press focuses on the Safe for Scripting moniker, even though they are referring to both. Controls that can create, read, or write files, or write to the registry are not considered explicitly safe, unless their actions are predetermined and specific.
Without this predefined safety check, a seemingly innocuous program could easily be used to do harm that the original publisher (programmer) did not intend. For example, a control could be made to function as a popup word processor that a user could write with and save notes. If marked Safe For Scripting, a malicious web page might be able to load the control, create and save new files, and use it to overwrite the user's startup files. There is much discussion within the security industry over this controversial setting. Particularly, how does a vendor guarantee his control to be bug free and not susceptible to maliciousness from other programs? There is no standard way for a vendor to test the safety of their code. As we will see later, it's difficult for a vendor to consider all the possibilities of their program's interactions.
Safe for Scripting or Initialization does not mean the control is safe for use. There might be a control that scrambles and deletes all your files when you execute it. As long as the result was not implemented by a script or initiated during startup by an unintended third party, it could still qualify for the Safe for Scripting setting. Obviously, this control would not be safe to have on your computer.
Differences between ActiveX and Java
ActiveX is often thought of as a Microsoft Java-clone. It isn't. Without the common goal of being optimized for Internet component-downloading, the two platforms don't share much in common. Here are some key differences.
- An ActiveX object is compiled, not interpreted. This means ActiveX programs can run extremely fast as compared to Java programs.
- ActiveX controls can be made with many different languages. Java applets can only be made by Java.
- ActiveX controls can do more than Java applets.
- ActiveX doesn't have the platform independence of Java.
- ActiveX controls only work in Microsoft's Internet Explorer browser (or with Netscape's browser with an ActiveX plug-in).
- With ActiveX there is no difference between the security rights given local or remote programs.
Web developers include an <OBJECT> tag within their HMTL page (see Example 11-1) to automatically download a control to the browser, much as with a Java applet. The ID field defines the name used by any related scripting language that presents the control. The CLASSID is a globally unique identifier used to identify the control (something you'll need to become comfortable with to locate a specific control on your machine) and the CODEBASE contains file identification information (minimum version and location). HEIGHT and WIDTH tell the browser how many pixels tall and wide to make the displayed control. Other custom startup parameters, such as the background color, can be passed to the control as it starts....