Share via

Internet Explorer’s ActiveX Security Mitigations in Use

  • Article

BackgroundAs a part of the July security bulletin, Microsoft yesterday released an update to mitigate a vulnerability in the “Microsoft Video” ActiveX control. This control contained a stack-based buffer overflow which could be exploited by a malicious web page. 

If you haven’t yet done so, please make sure you’ve installed the latest updates from WindowsUpdate to help keep your system secure.

The Microsoft Video control should not have been marked as safe because it wasn’t intended for use within the browser. Rather than updating the control itself, Microsoft decided to block misuse of the control via a killbit.  Killbits are simple registry flags that instruct the browser not to load the specified control. One advantage of killbits is that they can easily be set with a simple registry modification, and a “FixIt Script” that set this killbit was available on July 6th. You can learn more about the killbit mechanism over on the SRD Blog (Part 1, Part 2, Part 3).

ActiveX Mitigations by IE Version

The Video ActiveX vulnerability was extremely serious for IE6 users because that browser version provides no protection against this exploit unless the killbit is applied.

In contrast, IE7 users had some protection against exploitation of this vulnerability.  IE7 includes the ActiveX Opt-in feature which disables most ActiveX controls (including this one) by default.  IE7 users on Vista also benefit from Protected Mode, which helps prevent the installation of malicious software, even in the event that an exploit results in code execution.

Beyond Protected Mode and ActiveX Opt-in, IE8 users benefitted from additional protections that help to mitigate vulnerabilities like this one. IE8 includes the per-site ActiveX feature, which extends ActiveX Opt-in by preventing controls that are permitted to run on one site from running automatically on other sites. More importantly in this case, DEP/NX memory protection is enabled by default for IE8 users on Windows XP SP3, Windows Vista SP1+, and Windows 7.  DEP/NX helps to foil attacks by preventing code from running in memory that is marked non-executable.  DEP/NX, combined with other technologies like Address Space Layout Randomization (ASLR), make it harder for attackers to successfully exploit certain types of memory-related vulnerabilities, including this one.

Security is a Journey

Unfortunately, attackers are always on the lookout for vulnerable code, and Microsoft is currently investigating a vulnerability recently discovered in the Microsoft Office Web Components (OWC) ActiveX controls. Until an update is available, users can help prevent exploitation of the vulnerability by running the FixIt Script that killbits the vulnerable OWC controls.

No Easy Answers

When talking to customers, I’m often asked: “ActiveX controls often have problems. Why not release a version of Internet Explorer without ActiveX?

It’s a reasonable question, and it goes back to my point that “ security is usually easy, it’s the tradeoffs that are hard. ” End-users or IT administrators can easily disable ActiveX in all versions of IE in just a few seconds: click Tools > Internet Options > Security > Custom Level… and change the “Run ActiveX controls and plug-ins” setting to “Disable.” Alternatively, IE7 and IE8 users can launch Internet Explorer in No Add-ons mode using the Start Menu shortcut. Unfortunately, many sites depend on the rich capabilities provided by add-on technologies like ActiveX, and those sites will not work as well, or at all, if ActiveX is disabled. Users and administrators can more tactically disable unwanted controls using Manage Add-ons or Group Policy, reducing attack surface as much as possible.

While we continue to evangelize best-practices for developing secure add-ons, we strongly encourage users and organizations to upgrade to IE8.  IE8 offers a robust set of mitigations against exploitation of vulnerable controls, helping keep your systems secure.

Thanks for reading!

-Eric Lawrence

Comments

  • Anonymous
    July 15, 2009
    Do the Netscape/mozilla plugins work in IE? Those np*.dlls

  • Anonymous
    July 15, 2009
    @Monix: duh, no. Netscape threatened to sue MS for NP*.dll support so MS had to pull that years and years ago.

  • Anonymous
    July 15, 2009
    @Monix: Netscape plugin DLLs do not work (by default) in IE. There's an old ActiveX control (I don't know if it's maintained anymore) which can be used to load NPAPI controls, but it's not very useful for anything.

  • Anonymous
    July 15, 2009
    The comment has been removed

  • Anonymous
    July 16, 2009
    The comment has been removed

  • Anonymous
    July 16, 2009
    The comment has been removed

  • Anonymous
    July 16, 2009
    http://www.satine.org/archives/2009/07/11/snow-stack-is-here/ http://www.youtube.com/watch?v=3R6sb4NO25E&fmt=18 IE and Siverlight just became even more irrelevant. This is the death of IE and Silverlight.

  • Anonymous
    July 16, 2009
    @Ian: Protected Mode already enforces security restrictions on ActiveX controls and other content that help prevent writing of the file system, registry, etc.  For the other things you've cited: access to these resources is one of the primary reasons that most ActiveX add-ons are written in the first place, so disabling them would be functionally equivalent to disabling ActiveX in the first place.  All popular browsers support unrestricted native code extensibility, using either ActiveX or NPAPI.   IE doesn't even show an ActiveX install prompt by default-- it shows the information bar and it takes two clicks to even get to the prompt. SmartScreen filter is used to scan for malicious ActiveX install points, and hence the number of actually malicious controls is quite low.   As to the WMP question: I believe it depends on the version, but in my version, the Options inside Tools / Options / Security allow me to disable the player's ability to run script, etc. @Quality Directory: Are you asking questions primarily as a means of SEO for your link?  As noted in the post, you can use the FixIt Script now. In terms of a formal update, I'm that depends on what the Office team's investigation turns up and when they prepare a patch. I do not have insight into other teams' patches.

  • Anonymous
    July 16, 2009
    @EricLaw: I don't ask questions here as a means of SEO for my link. My main purpose of visiting is to read and learn how new features of IE work, but not for SEO. I have a small computer company and write computer-related articles for my users. For me to write well, I need an inside view.

  • Anonymous
    July 16, 2009
    @ EricLaw Why not use rel="nofollow", like e.g. Wikipedia for the links in this blog? ...thus we might get rid of some of the spam in this blog! Cheers Harry

  • Anonymous
    July 17, 2009
    Just wondering if you have any plans to support or work with Google on Native Client?  It seems to fix all of the security problems of ActiveX. The CSS3 Snow Stack looks cool if you have time...

  • Anonymous
    July 17, 2009
    The comment has been removed

  • Anonymous
    July 18, 2009
    The comment has been removed

  • Anonymous
    July 18, 2009
    Billybob: You clearly have no idea what you're talking about. Either you didn't read the article, or you didn't understand it: the point is that Google has a lousy track record on security. When an exec makes "idiotic" claims (BruceS's words, not mine) that their product was "Designed for security" they deserve our scorn, not our trust.

  • Anonymous
    July 18, 2009
    Thanks and greetings from Germay

  • Anonymous
    July 19, 2009
    The comment has been removed

  • Anonymous
    July 19, 2009
    Is there a way to detect Silverlight without using CreateObject() to test for it?

  • Anonymous
    July 19, 2009
    The comment has been removed

  • Anonymous
    July 19, 2009
    The comment has been removed

  • Anonymous
    July 19, 2009
    we've already installed the update, thansk for the information and best regards from Tom from germany

  • Anonymous
    July 19, 2009
    The comment has been removed

  • Anonymous
    July 19, 2009
    The comment has been removed

  • Anonymous
    July 19, 2009
    From your remarks, "billybob", it's a safe bet you won't be designing any systems any time soon.

  • Anonymous
    July 19, 2009
    I have installed the update an it seems to work for me. Thanks for sharing this.

  • Anonymous
    July 20, 2009
    I was attempting to upload some pictures to Facebook which I recently joined and it tells me to click on the activex controls tab at the top of the page. There is no ActiveX controls tab and it knocks me off of the webpage. It says Internet Explorer has closed this webpage to protect your computer A malfuntioning or malicious add on has caused Internet Explorer to close. Is this the problem youare talking about here ? I'm not really computer savy .

  • Anonymous
    July 20, 2009
    @Mike: This suggests that perhaps you have an older version of the Facebook control installed. Check inside Tools / Manage Addons to see. If you find one, you might want to uninstall it and install the new one. What version of IE and Windows are you using?