There's already one system designed to forcibly "opt-out" users from dangerous ActiveX code -- it's called the IObjectSafety interface. It's used to indicate that code is or is not safe for initialization and scripting in a browser environment.

This posed a few problems:

First, some controls posed security threats before their initialization could be completed and the safety of the object could be verified. Some objects, when instantiated in a browser, will suffer trivially exploitable memory corruption and uninitialized data conditions.

Second, people marked controls as safe that just weren't. Period. Microsoft itself made this mistake with the Outlook View Control -- which allowed attackers to execute arbitrary code by design.

ActiveX opt-in will handle the first case -- invocations of objects which serve no legitimate purpose in a browser will be caught. The second case will be reduced, but not eliminated. Some controls are designed to be invoked within a browser but don't implement a reasonable security model to separate safe from unsafe functionality and only expose the former to hostile environments.

The third problem that ActiveX Opt-In simply WILL NOT solve is of vulnerabilities in web-targeted controls. Controls that are marked safe and solely targeted to the web will continue to have major vulnerabilities, as Moore's "Month of Browser Bugs" demonstrates.

Further, these controls are things like media players, download agents, toolbars, and even virus scanners. Users will let these things run -- because they are critical to some piece of desirable functionality. Because there's no minimum standard of competence enforced by the execution environment for an ActiveX control (where there is with Java) these controls will be a perpetual source of vulnerabilities and of zero-day attacks.

Further, the effectiveness of ActiveX opt-in is limited to the 5% of the population that doesn't double-click on executable attachments because they claim to be a source of prosperity, humor or porn. Microsoft left security to the user in the Windows 2000 era by depending on the user to turn OFF unneeded functionality. They're doing it with IE 7 by depending upon the user to make the right decision (with virtually no information other than "this is an unknown ActiveX control") to protect their system. The thing Microsoft still fails to get is that the user will get it wrong a good portion of the time. The margin of error is way too high.

The bots spawned from these "computer illiterate" and their hopelessly-compromised PCs will be a threat for the forseeable future with this model of risk management from Redmond.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/11403/33982#33982