5. Once the user visits the legitimate organization??™s page with the vulnerable
ActiveX control installed, the user??™s operating system will follow the
instructions set by the attacker.
While ActiveX is often developed insecurely, designing safe ActiveX controls is
certainly possible. The following section discusses a list of common ActiveX security
flaws and the appropriate security measures you can use to mitigate them.
Allowing ActiveX Controls to be Invoked by Anyone
ActiveX controls do not often verify or list the authorized servers and/or domains that
can invoke the controls, such as *.isecpartners.com. The lack of restriction allows any
attacker to target and invoke existing controls on a user??™s operating system for the
attacker??™s own advantage. By not verify or restricting a domain, the red carpet is rolled
out for any attacker willing to abuse the rights placed by the ActiveX COM object.
To defend against misuse, Microsoft released SiteLock, a library that ActiveX
developers can use to limit access to the ActiveX controls. A developer can lock access to
specific domain names, to IE trust zones, or to Secure Sockets Layer (SSL). For example,
a predetermined list of domains, such as *.
Pages:
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363