Many developers of ActiveX-based applications do a poor job of ensuring security, notes Craig Schmugar, a threat researcher at McAfee's Avert Lab. And that threat grows as the number of ActiveX applications grows. "You can improve developer education, but hackers are likely to keep attacking the soft targets," he said.
It's also become easier for hackers to find ActiveX's flaws, thanks to the broad availability of fuzzing tools. "The publicly available fuzz testing tools for ActiveX make it relatively simple to find new vulnerabilities and controls to go after, so people are able to research how exploitable certain applications may be before writing their attacks," said Carnegie Mellon's Dormann. "People are finding new holes all the time and posting them to public mailing lists," he added.
"One of the most telling things to look at with ActiveX is that security researchers delving into these problems don't get a lot of respect within the vulnerability research community itself," Schmugar noted. "That's mostly because with the sheer number of holes, and all the available fuzzing tools, people look at it like shooting fish in a barrel."
IE7 improvements should help over time
Microsoft is well aware that ActiveX is both a big target for hackers and one that they can successfully attack. So the company has re-architected its Internet Explorer Web browser in version 7 to limit the scope of well-known attacks methods. Researchers say that the work should eventually produce dividends.
For example, the original implementation of ActiveX in IE6 and previous versions exposed binaries to any page visited by users. By contrast, IE7 provides far less access to sites and applications, preventing malware authors from activating code that would let them hack the browser.
Microsoft has configured IE7's defaults so that only "safe" ActiveX controls (as determined by Microsoft) can be accessed, and it has enhanced separation of controls to prevent exploits from running roughshod across the entire Internet Explorer application as they often did in the past, researchers said. "IE7's protected mode definitely helps, even if the root cause in the form of ActiveX vulnerabilities is still present, and in the long run it will play a role in convincing attackers to move elsewhere, but with Vista and IE7 in relatively few hands this won't happen soon," said McAfee's Schmugar. Improvements made in the Windows Vista operating system should also help reduce the impact of traditional ActiveX attack techniques, he noted.
However, most people use neither Vista nor IE7, so these improvements aren't widely deployed. The majority of users run IE6 on Windows XP, both of whose ActiveX components remain largely unchanged and thus at high risk.
Dumping ActiveX is not the long-term solution
Given that ActiveX is compatible only with Microsoft's Windows browsers, you might conclude the safest solution to the security threat is to use alternative technologies such as JavaScript.
That strategy may work for a while, researchers said. But as alternative browser plug-in technologies gain adoption, they too will become more significant targets for attackers. Researchers cite the increasing attacks aimed at the Mozilla Firefox and Apple Safari browsers as they gained in popularity, as well as the likelihood of more Mac OS-based threats as that operating system continues to gain market share. And JavaScript is no stranger to attacks, either.
"The issue goes beyond ActiveX. Any plug-in architecture that has a lot of users will suffer from these same issues; anything where you have third party developers writing code that runs inside the browser," said Max Caceres, director of research and development at applications security firm Matasano Security. "As long as developers are building things without putting security at the top of their list of objectives, we'll have these problems, regardless of the plug-in architecture."