I saw this come across comp.risks and thought it was appropriate for Bugtraq. I haven't seen anything about it on Bugtraq before. -dave Date: Thu, 22 Jul 1999 22:12:27 -0400 From: "Richard M. Smith" <[EMAIL PROTECTED]> Subject: New ActiveX security problems in Windows 98 PCs At work, I recently started using a new HP Pavilion computer that is running Windows 98. As part of ongoing research into Internet security issues, I discovered that this computer was shipped with 2 ActiveX controls, which are extremely dangerous. These controls can be easily misused on a Web page to gain access to the computer and run programs. More worrisome however script code can be embedded in an HTML Email messages and the controls accessed in Outlook, Outlook Express, and Eudora. The controls are marked "safe" for scripting even though they can do things like launch programs and read and write the Windows registry. Using these controls, some of the malicious things that can be done include: - Automatically install a computer virus or other malicious software on a system. - Turn off all Windows security checking, making a system wide-open for future attacks. - Read personal files for the local hard disk and silently upload them to a remote Web site. - Delete document files from the local hard drive. - Remove Windows system files so that a system can no longer be booted. With less than 30 minutes of effort, I was able to construct a test Email message that downloads a Windows executable file from a remote FTP site and installs it on the local hard drive using one of these ActiveX controls. After the file is successful installed, it then is executed. For my test message, I download and run the Windows calculator. However, the Email message can download any Windows program such as the ExplorerZip virus or Back Orifice 2000 install program. In Outlook Express, this all happens automatically when the Email message is read. There are no attachments that have to be clicked on and no warnings with default security settings. My test Email message contains only about 10 lines of JavaScript code to direct one of the HP ActiveX controls to do the download and run the program. Anyone with experience in JavaScript programming could easily duplicate the code that I wrote. For obvious reasons, I will not be publically releasing this test Email message. Microsoft's Authenticode security system built into Internet Explorer is of no use here because the ActiveX controls are pre-installed on the computer and not downloaded from the Internet. Authenticode only allows users to prevent downloading of questionable ActiveX controls, not their execution once they are installed on a system. The ActiveX controls are shipped on the HP system for use in system diagnostic package called SystemWizard. This package is a product of SystemSoft (<http://www.systemsoft.com>). The intention is these controls would only be used in SystemWizard and no where else. However, because the controls are marked safe for scripting, any Web page or Email message can use the controls in any manner they like. The controls either never should have marked safe in the first place or the controls need to do their own security checking. Unfortunately neither precaution was taken. The two SystemSoft controls are just thin wrappers around a number of Win32 system calls. The Launch ActiveX control allows a JavaScript program to run a DOS or Windows program and pass in command line parameters. The RegObj ActiveX control allows a JavaScript program to read, set, and scan registry keys. The controls are accessed on a Web page simply by including an HTML <OBJECT> tag with appropriate parameters. Pretty obviously, it is not a good idea to allow JavaScript programs to make direct Win32 system calls with such ease! To give an idea how easy the Launch control is to misuse, the following JavaScript call will remove the contents of someone's entire "My documents" directory using the old DOS deltree command: Launch('c:\\command.com', '/c deltree /y "c:\\My documents\\*.*"'); Both of the SystemWizard ActiveX controls were created last year and my understanding have been shipped on most HP desktop systems in the US retail channel for at least the last 6 months. The number of computers, which are vulnerable, is therefore quite substantial. The same controls may also being shipped on other brands of computers. After being alerted to the problems of these two controls, SystemSoft is providing a patch file to fix the security holes. This patch file can be downloaded from their Web site at this URL: <http://www.systemsoft.com/support/syswiz/index.htm> In addition to the two SystemSoft ActiveX controls, I also found an another ActiveX control pre-installed on the HP system with a privacy leak in it. The control can give out Windows 98 registration information such as name, address, and phone number to a Web site. This control was supplied by Encompass Corporation (now part of Yahoo) and is used in an ISP sign-up program. The control is marked safe for scripting on a new computer, but is marked unsafe for scripting the first time dial-up networking (DUN) is used on the system. This issue is specific to this machine/build of the software. Unfortunately on my HP system, I use a LAN connection to access the Internet and therefore the Encompass control stays marked safe for scripting forever and could give out registration information (limited to name, address, phone number) to a malicious person. Since I didn't use the dial-up portion of the ISP sign up, I just removed the registration application by going to the add/remove program files and choosing the "Easy Internet Access" application. The control also remains safe for scripting if one uses AOL as an ISP because AOL does not use DUN support in Windows 98. Since Encompass has distributed versions of the software on a different machines, I've put together a demo page that will test a system to see if the system has a version of the control that could release registration information to a malicious person. The test page can be found at: <http://www.tiac.net/users/smiths/acctroj/reginfo.htm> I also upgrade from version 4 of Internet Explorer to version 5 on the HP system. Unfortunately this upgrade installed yet another dangerous ActiveX control on the system. This control is the DHTML editing control, which can be easily misused to read files from the local hard drive and upload them to a Web server. This bug was discovered in March 1999 and has been fixed by Microsoft but the majority of IE5 users still are vulnerable because not many people know about the problem. A security bulletin and patch for this ActiveX control can be found on the Microsoft Web site: <http://www.microsoft.com/security/bulletins/ms99-011.asp> How did so many of these insecure ActiveX controls get installed on my computer in the first place? Because Internet Explorer (IE4 or IE5) comes bundled with Windows 98, it is becoming an increasing popular for computer manufacturers to build specialized utilities for their PCs using IE4 just like HP has done. These utilities include registration software, ISP sign-up programs, and shells for running common applications. With Internet Explorer 4 it is very easy to develop user-interfaces for these types of utilities using standard HTML pages. ActiveX controls are then typically used in these applications to provide low-level access to the Windows operating system to do things like run applications, access the registry, or read and write files. These controls are only suppose to be used inside the applications they are designed for. However, IE4 has no built-in mechanism for restricting use of a particular ActiveX control to be used with particular Web pages. Therefore it is up to application developer to provide a security mechanism in their ActiveX controls. After looking at the problems of the HP system, I decided to check out other new Windows 98 systems from other computer manufacturers for similar unsafe ActiveX controls. The first thing I discovered that is very common for manufacturers to ship utilities built as Web pages on their computers. Most of these applications included ActiveX controls for doing things like running programs and accessing the registry. The controls had names like "SpawnApp", "SafeLanuch", "RegRead", and "Run". However, because I didn't have direct access to these systems, I have no method to test to see if these controls can be misused or not. Because their is no built-in security system in place for pre-installed ActiveX controls it is up to the person who writes the control to make sure they are safe. I have inquired to a number of computer manufacturers about the controls I saw, but so far have not received back any responses. Given the subtle nature of ActiveX security issues, I wouldn't be surprised that other computer models have serious security problems also. A typical Windows 98 system today ships with about 50 pre-installed ActiveX controls that are marked safe for scripting. Because ActiveX controls are Win32 programs it's not possible to really know if a control is really safe or not. The developer's claims about safety cannot necessarily be trusted. Without systematic and detailed testing it is not possible to know if given control is really safe. I don't believe full testing is really being done today. For example, here is information about another Microsoft ActiveX control that is still being distributed with the Windows 98 Resource Kit today: <http://support.microsoft.com/support/kb/articles/Q218/6/19.ASP> This Resource Kit ActiveX control allows Windows programs to be executed from a Web page or HTML Email message. What can users do about all of these different ActiveX security holes? One approach is download patches to fix security holes as they are found. Unfortunately for most user's it is not possible to know what ActiveX controls are even installed on their system, never mind knowing which ones are really safe. It might require going to 4 or 5 different Web sites just sees what security patches are available. A pretty impossible task for almost anyone. One easy thing users can do is completely turn off ActiveX controls in Internet Explorer. This is done on the security tab of the "Internet Options..." command in Internet Explorer. This option however is only available if the Web site that one goes to don't use ActiveX controls. What can computer manufacturers and software companies do about the problem of security holes in pre-installed ActiveX controls? As it turns out, Internet Explorer 5 already offers a great solution. IE5 supports a new feature called HTML applications (or .HTA files). An HTML Application is built like a Web page but can only be loaded and execute from the hard drive. Because an .HTA file comes from the local drive and not the Internet, scripts on the page are a completely trusted and are allowed to use all ActiveX controls installed on a system whether the controls are marked safe or not. For an HTML application, none of its private ActiveX controls have to marked safe for scripting and therefore the controls cannot be misused on Web pages. For current systems, my recommendation is that computer manufacturers need to review carefully all the ActiveX controls which are pre-installed on computers that are going out the door. In the review, each control needs to be checked for potential security problems. It is particularly important to look at controls, which make Win32 system calls to load and execute other programs, read and write files, and access the registry. I've created a Web page on my personal Web site that will check to see what potentially unsafe ActiveX controls are installed on a system. The URL for the test page is: <http://www.tiac.net/users/smiths/acctroj/axcheck.htm> Security problems with ActiveX controls have been a concern for a long time, because these controls are binary programs that are allow to make any kind of Windows system call. The industry has mostly been worried about ActiveX controls that were intentionally created with malicious code. Microsoft addresses these concerns with the Authenticode security system which allows users to decide if they trust a particular author enough to run controls that the author has written. Authenticode is based on adding digital signatures to controls. However, the pattern I see here is a much different issue. Instead we have computer and software vendors installing ActiveX controls on systems without any notification and these controls for whatever reasons contain security holes in them. As I've pointed out here, I found 4 different ActiveX controls on my HP system for 3 different vendors which compromised the safety on my system. Not exactly a great track record! Going forward I hope that PC makers take a closer look at that the ActiveX controls that they are shipping on their systems. You never know who might be using that hidden-away ActiveX to create problems for us computer users.