COMMAND
ActiveX
SYSTEMS AFFECTED
Win98
PROBLEM
Richard M. Smith found following. He recently started using a new
HP Pavilion computer that is running Windows 98. As part of
ongoing research into Internet security issues, he discovered that
this computer was shipped with 2 ActiveX controls, which are
extremely dangerous. These controls can be easily misused on a
Web page to gain access to the computer and run programs. More
worrisome however script code can be embedded in an HTML Email
messages and the controls accessed in Outlook, Outlook Express,
and Eudora. The controls are marked "safe" for scripting even
though they can do things like launch programs and read and write
the Windows registry. Using these controls, some of the malicious
things that can be done include:
- Automatically install a computer virus or other malicious
software on a system.
- Turn off all Windows security checking, making a system
wide-open for future attacks.
- Read personal files for the local hard disk and silently
upload them to a remote Web site.
- Delete document files from the local hard drive.
- Remove Windows system files so that a system can no longer
be booted.
With less than 30 minutes of effort, he was able to construct a
test Email message that downloads a Windows executable file from
a remote FTP site and installs it on the local hard drive using
one of these ActiveX controls. After the file is successful
installed, it then is executed. For the test message, he download
and run the Windows calculator. However, the Email message can
download any Windows program such as the ExplorerZip virus or
Back Orifice 2000 install program. In Outlook Express, this all
happens automatically when the Email message is read. There are
no attachments that have to be clicked on and no warnings with
default security settings.
Test Email message contains only about 10 lines of JavaScript code
to direct one of the HP ActiveX controls to do the download and
run the program. Anyone with experience in JavaScript programming
could easily duplicate the code that I wrote. For obvious
reasons, Richard will not be publically releasing this test Email
message.
Microsoft's Authenticode security system built into Internet
Explorer is of no use here because the ActiveX controls are
pre-installed on the computer and not downloaded from the
Internet. Authenticode only allows users to prevent downloading
of questionable ActiveX controls, not their execution once they
are installed on a system. The ActiveX controls are shipped on
the HP system for use in system diagnostic package called
SystemWizard. This package is a product of SystemSoft
(http://www.systemsoft.com). The intention is these controls
would only be used in SystemWizard and no where else. However,
because the controls are marked safe for scripting, any Web page
or Email message can use the controls in any manner they like.
The controls either never should have marked safe in the first
place or the controls need to do their own security checking.
Unfortunately neither precaution was taken.
The two SystemSoft controls are just thin wrappers around a number
of Win32 system calls. The Launch ActiveX control allows a
JavaScript program to run a DOS or Windows program and pass in
command line parameters. The RegObj ActiveX control allows a
JavaScript program to read, set, and scan registry keys. The
controls are accessed on a Web page simply by including an HTML
<OBJECT> tag with appropriate parameters. Pretty obviously, it
is not a good idea to allow JavaScript programs to make direct
Win32 system calls with such ease! To give an idea how easy the
Launch control is to misuse, the following JavaScript call will
remove the contents of someone's entire "My documents" directory
using the old DOS deltree command:
Launch('c:\\command.com', '/c deltree /y "c:\\My documents\\*.*"');
In addition to the two SystemSoft ActiveX controls, Richard also
found an another ActiveX control pre-installed on the HP system
with a privacy leak in it. The control can give out Windows 98
registration information such as name, address, and phone number
to a Web site. This control was supplied by Encompass Corporation
(now part of Yahoo) and is used in an ISP sign-up program. The
control is marked safe for scripting on a new computer, but is
marked unsafe for scripting the first time dial-up networking
(DUN) is used on the system. This issue is specific to this
machine/build of the software. Unfortunately on tested HP system,
Richard uses a LAN connection to access the Internet and therefore
the Encompass control stays marked safe for scripting forever and
could give out registration information (limited to name, address,
phone number) to a malicious person. Since he didn't use the
dial-up portion of the ISP sign up, he just removed the
registration application by going to the add/remove program files
and choosing the "Easy Internet Access" application. The control
also remains safe for scripting if one uses AOL as an ISP because
AOL does not use DUN support in Windows 98. Since Encompass has
distributed versions of the software on a different machines, he
had put together a demo page that will test a system to see if
the system has a version of the control that could release
registration information to a malicious person. The test page can
be found at:
http://www.tiac.net/users/smiths/acctroj/reginfo.htm
Richard also upgraded from version 4 of Internet Explorer to
version 5 on the HP system. Unfortunately this upgrade installed
yet another dangerous ActiveX control on the system. This control
is the DHTML editing control, which can be easily misused to read
files from the local hard drive and upload them to a Web server.
How did so many of these insecure ActiveX controls get installed
on my computer in the first place? Because Internet Explorer (IE4
or IE5) comes bundled with Windows 98, it is becoming an
increasing popular for computer manufacturers to build
specialized utilities for their PCs using IE4 just like HP has
done. These utilities include registration software, ISP sign-up
programs, and shells for running common applications. With
Internet Explorer 4 it is very easy to develop user-interfaces
for these types of utilities using standard HTML pages. ActiveX
controls are then typically used in these applications to provide
low-level access to the Windows operating system to do things
like run applications, access the registry, or read and write
files. These controls are only suppose to be used inside the
applications they are designed for. However, IE4 has no built-in
mechanism for restricting use of a particular ActiveX control to
be used with particular Web pages. Therefore it is up to
application developer to provide a security mechanism in their
ActiveX controls.
After looking at the problems of the HP system, Richsrd decided
to check out other new Windows 98 systems from other computer
manufacturers for similar unsafe ActiveX controls. The first
thing he discovered that is very common for manufacturers to ship
utilities built as Web pages on their computers. Most of these
applications included ActiveX controls for doing things like
running programs and accessing the registry. The controls had
names like "SpawnApp", "SafeLanuch", "RegRead", and "Run".
However, because he didn't have direct access to these systems,
he had no method to test to see if these controls can be misused
or not. Because their is no built-in security system in place
for pre-installed ActiveX controls it is up to the person who
writes the control to make sure they are safe.
A typical Windows 98 system today ships with about 50
pre-installed ActiveX controls that are marked safe for scripting.
Because ActiveX controls are Win32 programs it's not possible to
really know if a control is really safe or not. The developer's
claims about safety cannot necessarily be trusted. Without
systematic and detailed testing it is not possible to know if
given control is really safe.
Here is information about another Microsoft ActiveX control that
is still being distributed with the Windows 98 Resource Kit today:
http://support.microsoft.com/support/kb/articles/Q218/6/19.ASP
This Resource Kit ActiveX control allows Windows programs to be
executed from a Web page or HTML Email message. What can users
do about all of these different ActiveX security holes? One
approach is download patches to fix security holes as they are
found. Unfortunately for most user's it is not possible to know
what ActiveX controls are even installed on their system, never
mind knowing which ones are really safe. It might require going
to 4 or 5 different Web sites just sees what security patches are
available. A pretty impossible task for almost anyone.
SOLUTION
Both of the SystemWizard ActiveX controls were created last year
and they have been shipped on most HP desktop systems in the US
retail channel for at least the last 6 months. The number of
computers, which are vulnerable, is therefore quite substantial.
The same controls may also being shipped on other brands of
computers. After being alerted to the problems of these two
controls, SystemSoft is providing a patch file to fix the security
holes. This patch file can be downloaded from their Web site at
this URL:
http://www.systemsoft.com/support/syswiz/index.htm
Bug regarding IE5 ActiveX control was discovered in March 1999 and
has been fixed by Microsoft but the majority of IE5 users still
are vulnerable because not many people know about the problem. A
security bulletin and patch for this ActiveX control can be found
on the Microsoft Web site:
http://www.microsoft.com/security/bulletins/ms99-011.asp
Richard created a Web page on my personal Web site that will check
to see what potentially unsafe ActiveX controls are installed
on a system. The URL for the test page is:
http://www.tiac.net/users/smiths/acctroj/axcheck.htm