Active-X Vulnerabilities Cause Concern
Will Spencer
April 28, 2008
Symantec Corporation recently published the latest edition of its popular Global Internet Security Threat Report. This release highlighted Microsoft Active-X as the most vulnerable web browser plug-in technology currently in use.
Of the 239 web browser plug-in vulnerabilities documented in the second half of 2007, 79% involved Active-X components.
During that time frame, 58% of all vulnerabilities affected web applications. Traditional firewalls, which block attacks based upon IP addresses and port numbers, are effectively useless against these web attacks.
The number of vulnerabilities discovered in Active-X components dwarfed the number of vulnerabilities in all other web-browser plug-in technologies:
Symantec points to the availability of security research tools such as AxMan and COMRaider as one potential explanation for the alarming volume of known Active-X vulnerabilities. However, the largest number of security vulnerabilities are still caused by poorly trained software developers. Active-X components can, theoretically, be programmed securely. This requires significant investment to train software developers in both programming and security.
Many security professionals are now recommending that users disable Active-X in their web browsers to prevent these attacks.
Microsoft makes it difficult for Internet Explorer users to disable Active-X without disabling JavaScript. JavaScript is a competing technology which presents a much lower security risk.
To disable Active-X in Internet Explorer, open the Tools menu and selection "Internet Options", then click the Security tab. Choose "Custom Level" and scroll down to "Script ActiveX controls marked safe for scripting." You can choose to disable Active-X entirely or to force Active-X controls to ask you for permission before executing.
Of the 239 web browser plug-in vulnerabilities documented in the second half of 2007, 79% involved Active-X components.
During that time frame, 58% of all vulnerabilities affected web applications. Traditional firewalls, which block attacks based upon IP addresses and port numbers, are effectively useless against these web attacks.
The number of vulnerabilities discovered in Active-X components dwarfed the number of vulnerabilities in all other web-browser plug-in technologies:
- ActiveX components: 190
- Apple QuickTime: 19
- Sun Java: 13
- Adobe Flash: 11
- Windows Media Player: 4
- Adobe Acrobat: 1
- Mozilla browser extensions: 1
Symantec points to the availability of security research tools such as AxMan and COMRaider as one potential explanation for the alarming volume of known Active-X vulnerabilities. However, the largest number of security vulnerabilities are still caused by poorly trained software developers. Active-X components can, theoretically, be programmed securely. This requires significant investment to train software developers in both programming and security.
Many security professionals are now recommending that users disable Active-X in their web browsers to prevent these attacks.
Microsoft makes it difficult for Internet Explorer users to disable Active-X without disabling JavaScript. JavaScript is a competing technology which presents a much lower security risk.
To disable Active-X in Internet Explorer, open the Tools menu and selection "Internet Options", then click the Security tab. Choose "Custom Level" and scroll down to "Script ActiveX controls marked safe for scripting." You can choose to disable Active-X entirely or to force Active-X controls to ask you for permission before executing.
Print
Email
