Internet Explorer Has A Problem With Active X Controls

Mozilla Firefox IconImage via Wikipedia Use Only For Windows Updates!

I’ve been adding that line (Use Only For Windows Updates!) to the title bars of my customers’ Internet Explorers ever since Firefox was released a couple of years ago. The main reason? ActiveX controls. Internet Explorer is built around them. Firefox doesn’t use them at all.

Historically, the problem with ActiveX was the ease with which the bad guys could take control of them to infect your pc. Of course, this meant that the ActiveX control in question was already installed on your computer. I mean, think about it: How can you take advantage of a vulnerability if it’s not on the pc, right?

Well, somebody figured out how. The answer was extremely simple, and easy to implement. Just find an obscure ActiveX control with a vulnerability that Microsoft doesn’t seem to care about patching, and install it on pcs visiting your site!

Since the ActiveX control really is from Microsoft (the ultimate trusted vendor on a Windows machine), the user will not be alerted that it is being installed. Once it’s installed on the pc, the bad guys can take over and do whatever they want, using the genuine MS ActiveX control as the conduit to download any kind of malicious program. In most cases, you will never even know it happened.

From the article found at StopBadWare.org, quoting Symantec’s release:

Because the control is Microsoft signed, its installation is silent, and does not require any user interaction. Once this vulnerable control is installed on the victim’s computer, it is exploited in the same way as if the control was installed all along. To top it off, this attack is carried out as a drive-by attack, so the unprotected user may never know that they were vulnerable, or had been targeted, let alone infected.

Moral Of The Story

The moral of the story is plain: Use Internet Explorer Only For Windows Updates! Better yet, set your Windows Updates to automatically download the updates for you, and notify you when they’re ready to be installed. That way, you never have to open yourself to these kinds of threats at all.

Of course, there are other threats. But if you could do one thing to avoid all of a certain class of threats, why wouldn’t you?

I am Jon. Firefox is my browser of choice.