Securing ActiveX Controls
I was reading my buddy Alex Smolen's post the other day on Java Applet Security and figured I would see his post and raise it with a post on ActiveX control security. Actually, as you can probably see I have been slacking on the posting front so figured it is about time and this specific issue – ActiveX control security has been something I have been seeing a lot of in assessments but it doesn't seem to be covered enough in both the testing literature out there or indeed in secure development guides.
As it turns out, ActiveX controls are at the end of the day C++ or C# or (pick your favorite language) code so much of the guidance on secure application development continue to apply as you would expect. However, ActiveX controls obviously add another interesting dimension – they are mobile code and execute not on the server like typical web applications do but on the client machine. That means any vulnerabilities in this control place each and every one of your customers at risk. In fact with some popular ActiveX controls this is such a rampant problem given that they are installed on hundreds of thousands if not millions of computers across the globe. What perhaps exacerbates the risk even more is these ActiveX controls typically provide very powerful functionality by leveraging deep access into the client computer. This in turn can mean you are putting your users at risk even if you have no stereotypical vulnerabilities in your control code. Let me explain, why just not having buffer overflows and the like is not enough to protect your customers.
Well it all really comes down to the trust model and the sandbox built for ActiveX controls in the browser – Internet Explorer for the most part. Enter the notion as being "safe for initialization and / or scripting". The relevant MSDN documentation on this is shown here:
Initialization Security
When a control is initialized, it can receive data from an arbitrary IPersist*  interface (from either a local or a remote URL) for initializing its state. This is a potential security hazard because the data could come from an untrusted source. Controls that guarantee no security breach regardless of the data source are considered safe for initialization.
There are two methods for indicating that your control is safe for initialization. The first method uses the Component Categories Manager to create the appropriate entries in the system registry. Internet Explorer examines the registry prior to loading your control to determine whether these entries appear. The second method implements an interface named IObjectSafety on your control. If Internet Explorer determines that your control supports IObjectSafety, it calls the IObjectSafety::SetInterfaceSafetyOptions method prior to loading your control in order to determine whether your control is safe for initialization.
Scripting Security
Code signing can guarantee a user that code is trusted. However, allowing ActiveX Controls to be accessed from scripts raises several new security issues. Even if a control is known to be safe in the hands of a user, it is not necessarily safe when automated by an untrusted script. For example, Microsoft Word is a trusted tool from a reputable source, but a malicious script can use its automation model to delete files on the user's computer, install macro viruses, and worse.
There are two methods for indicating that your control is safe for scripting. The first method uses the Component Categories Manager to create the appropriate entries in the system registry (when your control is loaded). Internet Explorer examines the registry prior to loading your control to determine whether these entries appear. The second method implements the IObjectSafety interface on your control. If Internet Explorer determines that your control supports IObjectSafety, it calls the IObjectSafety::SetInterfaceSafetyOptions method prior to loading your control in order to determine whether your control is safe for scripting. |
When it comes to ActiveX controls designed for the browser, it is more likely than not that these are marked as safe for scripting.
The problem is this approach is very binary – or in other words you can either mark an ActiveX control as never safe for scripting or always safe. Like we just said most developers will mark the object safe for scripting and all seems well. This is where it begins to get really interesting from a security perspective. A control marked as safe for scripting can be loaded by any and every web page developer whether they work for your organization or are the teenage, blackhat hackers down the street or in some dark basement half way across the globe.
Consider, now a familiar use case for an ActiveX controls – a control that lets you browse your local file system and add or delete files from / to the server. Developing this control just gave your company the award for most usable site on the entire World Wide Web and as they say business is good. Joe Hacker down the street is an avid user of your site and hence your ActiveX control realizes he might have a way to create a nice little botnet for himself through your ActiveX control. So here is what he does:
Creates a phishing site that looks perhaps just like yours or indeed anything else.
Within this site he loads your ActiveX control using the object tag he noticed in the HTML source of your website
Uses the interfaces, methods, events exposed by your ActiveX control within his fake website
You see where this is going, the more powerful your control the more power Joe Hacker has in his evil, evil hands …. Sigh L
So what is the solution you ask? As tempted as I am to leave that for another day and build on the suspense … I shall not J.
This is where the SiteLock template comes in. From the download page:
"The SiteLock ATL template enables an ActiveX developer to restrict access so that a control is only deemed safe when used in a predetermined list of domains. This limits the ability of Web page authors to reuse the control for malicious purposes."
Essentially SiteLock allows the developer to define a set of website domains (or Internet Explorer Zones) that are allowed to load this control. This information is built into the control itself and each time the control is loaded, it checks the site that is loading it to make sure it is part of the white list defined by the original developer. If not it will refuse to load. In fact SiteLock can also support "expiring" an ActiveX control after a certain time period. The idea being here is that functionality present in the ActiveX control can be disabled after a certain date. Both of these measures provide risk mitigation both against malicious (innocent as well actually) repurposing of your control as well as possibly lowers risk if the control were to have an unpatched vulnerability such as a buffer overflow. It is thus an excellent example of defense in depth and risk mitigation which is easy enough to code into the system and thus there is little reason for not doing so.
For the technically inclined the SiteLock template functions by providing its own custom implementation for the aforementioned IObjectSafety – IobjectSafetySiteLockImpl. This implementation provides the magic security sauce which does all the checking described in the previous paragraph.
References:
Designing Secure ActiveX Controls
Best Practices for ActiveX Control Updates
New Version of SiteLock Template
P.S. It is important to note that what has been discussed here bears no relation to whether the control is signed or unsigned which is what Alex's
post talked about. Instead it focuses on the properties of a legitimate ActiveX control. The browser will still show the regular warnings whether the control is signed or unsigned depending on how your browsing security policy is defined. It will however NOT let you know if the site attempting to use an ActiveX control is legitimate or malicious – it really has no way of doing that. So as a developer your action item is to make sure all your controls that will be hosted in a browser are protected using SiteLock. If your controls are never intended to run in a browser do not mark them as safe for scripting. Internet Explorer does not load such controls so problem solved!
If you are a end user then make sure the controls you use have this protection or hound the developers if you can until they provide this protection. In the meantime, refuse to load ActiveX controls whether signed or unsigned from untrusted websites!