mailing list archives
New ActiveX security problems in Windows 98 PCs
From: dmurray () JSBSYSTEMS COM (David N. Murray)
Date: Thu, 29 Jul 1999 20:42:29 +0000
I saw this come across comp.risks and thought it was appropriate for
Bugtraq. I haven't seen anything about it on Bugtraq before.
Date: Thu, 22 Jul 1999 22:12:27 -0400
From: "Richard M. Smith" <smiths () tiac net>
Subject: New ActiveX security problems in Windows 98 PCs
At work, I recently started using a new HP Pavilion computer that is
Windows 98. As part of ongoing research into Internet security issues,
discovered that this computer was shipped with 2 ActiveX controls, which
extremely dangerous. These controls can be easily misused on a Web page
gain access to the computer and run programs. More worrisome however
code can be embedded in an HTML Email messages and the controls accessed
Outlook, Outlook Express, and Eudora. The controls are marked "safe"
scripting even though they can do things like launch programs and read
write the Windows registry.
Using these controls, some of the malicious things that can be done
- Automatically install a computer virus or other malicious software
on a system.
- Turn off all Windows security checking, making a system wide-open
for future attacks.
- Read personal files for the local hard disk and silently upload
them to a remote Web site.
- Delete document files from the local hard drive.
- Remove Windows system files so that a system can no longer be
With less than 30 minutes of effort, I was able to construct a test
message that downloads a Windows executable file from a remote FTP site
installs it on the local hard drive using one of these ActiveX controls.
After the file is successful installed, it then is executed. For my
message, I download and run the Windows calculator. However, the Email
message can download any Windows program such as the ExplorerZip virus
Back Orifice 2000 install program. In Outlook Express, this all happens
automatically when the Email message is read. There are no attachments
have to be clicked on and no warnings with default security settings.
direct one of the HP ActiveX controls to do the download and run the
duplicate the code that I wrote. For obvious reasons, I will not be
publically releasing this test Email message.
Microsoft's Authenticode security system built into Internet Explorer is
no use here because the ActiveX controls are pre-installed on the
and not downloaded from the Internet. Authenticode only allows users to
prevent downloading of questionable ActiveX controls, not their
once they are installed on a system.
The ActiveX controls are shipped on the HP system for use in system
diagnostic package called SystemWizard. This package is a product of
SystemSoft (<http://www.systemsoft.com>). The intention is these
would only be used in SystemWizard and no where else. However, because
controls are marked safe for scripting, any Web page or Email message
use the controls in any manner they like. The controls either never
have marked safe in the first place or the controls need to do their own
security checking. Unfortunately neither precaution was taken.
The two SystemSoft controls are just thin wrappers around a number of
a DOS or Windows program and pass in command line parameters. The
keys. The controls are accessed on a Web page simply by including an
<OBJECT> tag with appropriate parameters. Pretty obviously, it is not a
with such ease!
To give an idea how easy the Launch control is to misuse, the following
directory using the old DOS deltree command:
Launch('c:\\command.com', '/c deltree /y "c:\\My documents\\*.*"');
Both of the SystemWizard ActiveX controls were created last year and my
understanding have been shipped on most HP desktop systems in the US
channel for at least the last 6 months. The number of computers, which
vulnerable, is therefore quite substantial. The same controls may also
being shipped on other brands of computers.
After being alerted to the problems of these two controls, SystemSoft is
providing a patch file to fix the security holes. This patch file can
downloaded from their Web site at this URL:
In addition to the two SystemSoft ActiveX controls, I also found an
ActiveX control pre-installed on the HP system with a privacy leak in
The control can give out Windows 98 registration information such as
address, and phone number to a Web site. This control was supplied by
Encompass Corporation (now part of Yahoo) and is used in an ISP sign-up
program. The control is marked safe for scripting on a new computer,
marked unsafe for scripting the first time dial-up networking (DUN) is
on the system. This issue is specific to this machine/build of the
software. Unfortunately on my HP system, I use a LAN connection to
the Internet and therefore the Encompass control stays marked safe for
scripting forever and could give out registration information (limited
name, address, phone number) to a malicious person. Since I didn't use
dial-up portion of the ISP sign up, I just removed the registration
application by going to the add/remove program files and choosing the
Internet Access" application. The control also remains safe for
if one uses AOL as an ISP because AOL does not use DUN support in
Since Encompass has distributed versions of the software on a different
machines, I've put together a demo page that will test a system to see
the system has a version of the control that could release registration
information to a malicious person. The test page can be found at:
I also upgrade from version 4 of Internet Explorer to version 5 on the
system. Unfortunately this upgrade installed yet another dangerous
control on the system. This control is the DHTML editing control, which
be easily misused to read files from the local hard drive and upload
a Web server. This bug was discovered in March 1999 and has been fixed
Microsoft but the majority of IE5 users still are vulnerable because not
many people know about the problem. A security bulletin and patch for
ActiveX control can be found on the Microsoft Web site:
How did so many of these insecure ActiveX controls get installed on my
computer in the first place? Because Internet Explorer (IE4 or IE5)
bundled with Windows 98, it is becoming an increasing popular for
manufacturers to build specialized utilities for their PCs using IE4
like HP has done. These utilities include registration software, ISP
sign-up programs, and shells for running common applications. With
Explorer 4 it is very easy to develop user-interfaces for these types of
utilities using standard HTML pages. ActiveX controls are then
used in these applications to provide low-level access to the Windows
operating system to do things like run applications, access the
read and write files. These controls are only suppose to be used inside
applications they are designed for. However, IE4 has no built-in
for restricting use of a particular ActiveX control to be used with
particular Web pages. Therefore it is up to application developer to
provide a security mechanism in their ActiveX controls.
After looking at the problems of the HP system, I decided to check out
new Windows 98 systems from other computer manufacturers for similar
ActiveX controls. The first thing I discovered that is very common for
manufacturers to ship utilities built as Web pages on their computers.
of these applications included ActiveX controls for doing things like
running programs and accessing the registry. The controls had names
"SpawnApp", "SafeLanuch", "RegRead", and "Run". However, because I
have direct access to these systems, I have no method to test to see if
these controls can be misused or not. Because their is no built-in
system in place for pre-installed ActiveX controls it is up to the
who writes the control to make sure they are safe. I have inquired to a
number of computer manufacturers about the controls I saw, but so far
not received back any responses. Given the subtle nature of ActiveX
security issues, I wouldn't be surprised that other computer models have
serious security problems also.
A typical Windows 98 system today ships with about 50 pre-installed
controls that are marked safe for scripting. Because ActiveX controls
Win32 programs it's not possible to really know if a control is really
or not. The developer's claims about safety cannot necessarily be
Without systematic and detailed testing it is not possible to know if
control is really safe. I don't believe full testing is really being
today. For example, here is information about another Microsoft ActiveX
control that is still being distributed with the Windows 98 Resource Kit
This Resource Kit ActiveX control allows Windows programs to be
executed from a Web page or HTML Email message.
What can users do about all of these different ActiveX security holes?
approach is download patches to fix security holes as they are found.
Unfortunately for most user's it is not possible to know what ActiveX
controls are even installed on their system, never mind knowing which
are really safe. It might require going to 4 or 5 different Web sites
sees what security patches are available. A pretty impossible task for
One easy thing users can do is completely turn off ActiveX controls in
Internet Explorer. This is done on the security tab of the "Internet
Options..." command in Internet Explorer. This option however is only
available if the Web site that one goes to don't use ActiveX controls.
What can computer manufacturers and software companies do about the
of security holes in pre-installed ActiveX controls? As it turns out,
Internet Explorer 5 already offers a great solution. IE5 supports a new
feature called HTML applications (or .HTA files). An HTML Application
built like a Web page but can only be loaded and execute from the hard
drive. Because an .HTA file comes from the local drive and not the
Internet, scripts on the page are a completely trusted and are allowed
use all ActiveX controls installed on a system whether the controls are
marked safe or not. For an HTML application, none of its private
controls have to marked safe for scripting and therefore the controls
be misused on Web pages.
For current systems, my recommendation is that computer manufacturers
to review carefully all the ActiveX controls which are pre-installed on
computers that are going out the door. In the review, each control
be checked for potential security problems. It is particularly
look at controls, which make Win32 system calls to load and execute
programs, read and write files, and access the registry.
I've created a Web page on my personal Web site that will check to see
potentially unsafe ActiveX controls are installed on a system. The URL
the test page is:
Security problems with ActiveX controls have been a concern for a long
because these controls are binary programs that are allow to make any
of Windows system call. The industry has mostly been worried about
controls that were intentionally created with malicious code. Microsoft
addresses these concerns with the Authenticode security system which
users to decide if they trust a particular author enough to run controls
that the author has written. Authenticode is based on adding digital
signatures to controls.
However, the pattern I see here is a much different issue. Instead we
computer and software vendors installing ActiveX controls on systems
any notification and these controls for whatever reasons contain
holes in them. As I've pointed out here, I found 4 different ActiveX
controls on my HP system for 3 different vendors which compromised the
safety on my system. Not exactly a great track record! Going forward I
hope that PC makers take a closer look at that the ActiveX controls that
they are shipping on their systems. You never know who might be using
hidden-away ActiveX to create problems for us computer users.