Richard M. Smith
rms@computerbytesman.com
July 21, 1999
At work, I recently started using a new HP Pavilion computer that is
running Windows 98. As part of ongoing research into Internet
security issues, I discovered that this computer was shipped with
2 ActiveX controls, which are extremely dangerous. These controls
can be easily misused on a Web page to gain access to the computer and
run programs. More worrisome however script code can be embedded in an
HTML Email messages and the controls accessed in Outlook, Outlook
Express, and Eudora. The controls are marked "safe" for scripting
even though they can do things like launch programs and read
and write the Windows registry.
Using these controls, some of the malicious things that can be done include:
- Automatically install a computer virus or other malicious software
on a system.
- Turn off all Windows security checking, making a system wide-open
for future attacks.
- Read personal files for the local hard disk and silently upload
them to a remote Web site.
- Delete document files from the local hard drive.
- Remove Windows system files so that a system can
no longer be booted.
With less than 30 minutes of effort, I was able to construct
a test Email message that downloads a Windows executable
file from a remote FTP site and installs it on the local hard drive
using one of these ActiveX controls. After
the file is successful installed, it then is executed. For
my test message, I download and run the Windows calculator.
However, the Email message can download any Windows program such
as the ExplorerZip virus or Back Orifice 2000 install program. In Outlook
Express, this all happens automatically when the Email message is
read. There are no attachments that have to be clicked on
and no warnings with default security settings.
My test Email message contains only about 10 lines of JavaScript
code to direct one of the HP ActiveX controls to do the download
and run the program. Anyone with experience in JavaScript
programming could easily duplicate the code that I wrote. For
obvious reasons, I will not be publically releasing this test Email
message.
Microsoft's Authenticode security system built into Internet Explorer is
of no use here because the ActiveX controls are pre-installed on the computer and
not downloaded from the Internet. Authenticode only allows users
to prevent downloading of questionable ActiveX controls, not their
execution once they are installed on a system.
The ActiveX controls are shipped on the HP system for use in
system diagnostic package called SystemWizard. This package
is a product of SystemSoft (http://www.systemsoft.com).
The intention is these controls would only be used in SystemWizard
and no where else. However, because the controls are
marked safe for scripting, any Web page or Email message can
use the controls in any manner they like. The controls either
never should have marked safe in the first place or the controls need
to do their own security checking. Unfortunately neither precaution was
taken.
The two SystemSoft controls are just thin wrappers
around a number of Win32 system calls. The Launch ActiveX control
allows a JavaScript program to run a DOS or Windows program and
pass in command line parameters. The RegObj ActiveX control
allows a JavaScript program to read, set, and scan registry keys.
The controls are accessed on a Web page simply by including
an HTML <OBJECT> tag with appropriate parameters. Pretty
obviously, it is not a good idea to allow JavaScript programs
to make direct Win32 system calls with such ease!
To give an idea how easy the Launch control is to misuse,
the following JavaScript call will remove the contents of
someone's entire "My documents" directory using the old
DOS deltree command:
Launch('c:\\command.com', '/c deltree /y "c:\\My documents\\*.*"');
Both of the SystemWizard ActiveX controls were created last year and my
understanding have been shipped on most HP desktop systems in the
US retail channel for at least the last 6 months. The number
of computers, which are vulnerable, is therefore quite substantial.
The same controls may also being shipped on other brands
of computers.
After being alerted to the problems of these two controls,
SystemSoft is providing a patch file to fix the security holes.
This patch file can be downloaded from their Web site at
this URL:
http://www.systemsoft.com/support/syswiz/index.htm
In addition to the two SystemSoft ActiveX controls, I also found an
another ActiveX control pre-installed on the HP system with a
privacy leak in it. The control can give out Windows 98 registration
information such as name, address, and phone number to a Web site.
This control was supplied by Encompass Corporation (now part of
Yahoo) and is used in an ISP sign-up program. The control
is marked safe for scripting on a new computer, but is marked unsafe for
scripting the first time dial-up networking (DUN) is used on the system.
This issue is specific to this machine/build of the software.
Unfortunately on my HP system, I use a LAN connection to access
the Internet and therefore the Encompass control stays marked safe for
scripting forever and could give out registration information (limited to
name, address, phone number) to a malicious person. Since I didn't use the
dial-up portion of the ISP sign up, I just removed the registration
application by going to the add/remove program files and choosing the "Easy
Internet Access" application. The control also remains
safe for scripting if one uses AOL as an ISP because AOL does not
use DUN support in Windows 98.
Since Encompass has distributed versions of the software
on a different machines, I've put together a demo page that will test a
system to see if the system has a version of the control that could
release registration information to a malicious person. The test page
can be found at:
http://www.computerbytesman.com/acctroj/reginfo.htm
I also upgrade from version 4 of Internet Explorer to version 5
on the HP system. Unfortunately this upgrade installed yet
another dangerous ActiveX control on the system. This control
is the DHTML editing control, which can be easily misused
to read files from the local hard drive and upload them to a Web server.
This bug was discovered in March 1999 and has been fixed by Microsoft
but the majority of IE5 users still are vulnerable because not many
people know about the problem. A security bulletin and patch for
this ActiveX control can be found on the Microsoft Web site:
http://www.microsoft.com/security/bulletins/ms99-011.asp
How did so many of these insecure ActiveX controls
get installed on my computer in the first place?
Because Internet Explorer (IE4 or IE5) comes bundled with Windows 98,
it is becoming an increasing popular for computer manufacturers
to build specialized utilities for their PCs using IE4 just like HP has
done. These utilities include registration software, ISP sign-up programs, and shells for
running common applications. With Internet Explorer 4 it is
very easy to develop user-interfaces for these types of
utilities using standard HTML pages. ActiveX controls are then
typically used in these applications to provide low-level
access to the Windows operating system to do things
like run applications, access the registry, or read and write
files. These controls are only suppose to be used inside the
applications they are designed for. However, IE4 has no
built-in mechanism for restricting use of a particular ActiveX control to be
used with particular Web pages. Therefore it is up to application
developer to provide a security mechanism in their
ActiveX controls.
After looking at the problems of the HP system, I decided
to check out other new Windows 98 systems from other computer
manufacturers for similar unsafe ActiveX controls. The first
thing I discovered that is very common for manufacturers
to ship utilities built as Web pages on their computers. Most
of these applications included ActiveX controls for doing
things like running programs and accessing the registry.
The controls had names like "SpawnApp", "SafeLanuch",
"RegRead", and "Run". However, because I didn't have direct access to
these systems, I have no method to test to see if these controls
can be misused or not. Because their is no built-in security
system in place for pre-installed ActiveX controls it is
up to the person who writes the control to make sure they are
safe. I have inquired to a number of computer manufacturers
about the controls I saw, but so far have not received back
any responses. Given the subtle nature of ActiveX security
issues, I wouldn't be surprised that other computer models have
serious security problems also.
A typical Windows 98 system today ships with about 50 pre-installed
ActiveX controls that are marked safe for scripting. Because ActiveX
controls are Win32 programs it's not possible to really know if
a control is really safe or not. The developer's claims about safety
cannot necessarily be trusted. Without systematic and detailed testing
it is not possible to know if given control is really safe. I don't
believe full testing is really being done today. For example, here
is information about another Microsoft ActiveX control that is
still being distributed with the Windows 98 Resource Kit today:
http://support.microsoft.com/support/kb/articles/Q218/6/19.ASP
This Resource Kit ActiveX control allows Windows programs to be
executed from a Web page or HTML Email message.
What can users do about all of these different ActiveX security
holes? One approach is download patches to fix security holes
as they are found. Unfortunately for most user's it is not possible
to know what ActiveX controls are even installed on their system,
never mind knowing which ones are really safe. It might require
going to 4 or 5 different Web sites just sees what security patches
are available. A pretty impossible task for almost anyone.
One easy thing users can do is completely turn off ActiveX controls
in Internet Explorer. This is done on the security tab of the "Internet
Options..." command in Internet Explorer. This option however
is only available if the Web site that one goes to don't use ActiveX
controls.
What can computer manufacturers and software companies do about
the problem of security holes in pre-installed ActiveX controls?
As it turns out, Internet Explorer 5 already offers a great solution.
IE5 supports a new feature called HTML applications (or .HTA files). An HTML
Application is built like a Web page but can only be loaded
and execute from the hard drive. Because an .HTA file comes from
the local drive and not the Internet, scripts on the page are a completely
trusted and are allowed to use all ActiveX controls installed on a system
whether the controls are marked safe or not. For an HTML application, none
of its private ActiveX controls have to marked safe for scripting and therefore
the controls cannot be misused on Web pages.
For current systems, my recommendation is that computer manufacturers
need to review carefully all the ActiveX controls which are pre-installed
on computers that are going out the door. In the review, each control needs
to be checked for potential security problems. It is particularly important
to look at controls, which make Win32 system calls to load and execute
other programs, read and write files, and access the registry.
I've created a Web page on my personal Web site that will
check to see what potentially unsafe ActiveX controls are installed on
a system. The URL for the test page is:
http://www.computerbytesman.com/acctroj/axcheck.htm
Security problems with ActiveX controls have been a concern
for a long time, because these controls are binary programs
that are allow to make any kind of Windows system call. The industry
has mostly been worried about ActiveX controls that were intentionally
created with malicious code. Microsoft addresses these concerns
with the Authenticode security system which allows users to decide if they
trust a particular author enough to run controls that the author has written.
Authenticode is based on adding digital signatures to controls.
However, the pattern I see here is a much different issue.
Instead we have computer and software vendors installing
ActiveX controls on systems without any notification and
these controls for whatever reasons contain security holes
in them. As I've pointed out here, I found 4 different
ActiveX controls on my HP system for 3 different vendors
which compromised the safety on my system. Not exactly
a great track record! Going forward I hope that PC makers
take a closer look at that the ActiveX controls that they
are shipping on their systems. You never know who might
be using that hidden-away ActiveX to create problems for
us computer users.