Hi Bryan...
Without seeing the specific email, or allowing the ActiveX
control to run, it's very hard to say precisely what could
occur. Needless to say, the potential for harm is great.
I'll start by defining ActiveX, courtesy of searchWin2000.com,
a TechTarget site for Win2000 professionals:
"An ActiveX control is a component program object that can be
re-used by many application programs within a computer or
among computers in a network. The technology for creating
ActiveX controls is part of Microsoft's overall ActiveX set
of technologies, chief of which is the Component Object Model
(COM). ActiveX controls can be downloaded as small programs
or animations for Web pages, but they can also be used for
any commonly-needed task by an application program in the
latest Windows and Macintosh environments. In general,
ActiveX controls replace the earlier OCX (Object Linking and
Embedding custom controls). An ActiveX control is roughly
equivalent in concept and implementation to the Java applet."
[...]
"Visual Basic and C++ are commonly used to write ActiveX controls."
http://searchwin2000.techtarget.com/sDefinition/0,,sid1_gci211522,00.html
That said, there are few limits to what such a program can
accomplish, which, like all powerful things, gives it an
equal potential for good and evil.
Microsoft's own 'Windows Update', e.g., is a perfectly good
example of the legitimate use of an ActiveX component.
Another example of a bona-fide blessing through the use
of ActiveX would be a component which allows a website
to perform an anti-virus scan on your computer, such as
those offered by Trend Micro or BitDefender.
The dark side is another story, as indicated on various
mailing lists, bulletin boards, and forums:
"I just tried to opt-out from a spam email message from some sort
Internet keyword system. When I went to the opt-out page for the
mailing list, I got hit with a drive-by download that asked me to
install an ActiveX control called the 'Internet Marketing Agency'.
There isn't a clue on the opt-out page what this control does."
http://lists.netsys.com/pipermail/full-disclosure/2003-January/003237.html
"The real reason that code signing does not promote
authentication, of course, is that truly malicious ActiveX
components won't tell you that they are maliciously modifying
your operating system. In fact, they'll try to make the
modifications as quietly as possible. Or they might engage in
a two-pronged attack. For example, one ActiveX control could
change Internet Explorer's ActiveX security level so that you
would run unsigned applets; later, a second control could do
the real damage." More on the page:
http://groups.google.com/groups?q=dangers+activeX&hl=en&lr=&ie=UTF-8&oe=UTF-8&safe=off&selm=CMM.0.90.1.848526455.risko%40chiron.csl.sri.com&rnum=1
And, perhaps the most edifying post, from
comp.infosystems.www.browsers.ms-windows
links the use of java applets and ActiveX
to the potential proliferation of viruses:
"Information is not the only thing you get from surfing the
Web: now viruses may lurk in any file that you download.
Java applets and ActiveX controls, which have given a new
life to dull, flat Web pages, may also now be vehicles of
destruction for malicious hackers."
"At the Chaos Computer Club in Hamburg, Germany, a club
member puts the finishing touches on a new kind of virus
that can seek out an Internet user's personal bank account
information and actually transfer funds from the account,
without a personal identification or transaction number.
Science fiction? Unfortunately not.
Although only a demonstration and not an "in the wild"
virus, this hacker's virus is particularly alarming. First,
the virus is carried by a control developed using
Microsoft's ActiveX. Second, the virus loads
automatically (via the ActiveX control) as the user browses
the 'Net.
Any type of workstation, whether Mac, PC, Unix, or VAX, is
at risk from such viruses, even if you have a firewall
between your workstation and the Internet."
[...]
As for solutions, one of the biggest difficulties is outlined:
"The most obvious client-side solution is to simply disable
Java and ActiveX altogether on user workstations.
But as users grow accustomed to the added dimensionality of
ActiveX controls and Java applets, disabling all of them
frustrates users. As these applications are increasingly
applied as key components of web pages, disabling them
eliminates some applications of value to users."
*Much* more on the page:
http://groups.google.com/groups?q=dangers+activeX&hl=en&lr=&ie=UTF-8&oe=UTF-8&safe=off&selm=358222ec.9034338%40news.supernews.com&rnum=2
Another link on the TechTarget site goes to a very objective
article on The Register website, by Thomas C. Greene:
"Are Microsoft ActiveX controls dangerous?"
"The controls can be executed remotely via e-mail or a Web page.
The user's only defence against malicious use is to reject all
of them, or to gamble and accept only those from trusted
sources. One can, of course, accept even unsigned controls if
one wishes; and here we have to point out that an unsigned
control is no more likely to be dangerous than a signed one
is to be safe."
[...]
"Microsoft, naturally, gushes about all the 'features' these
controls make available to users. To the more cynical among
us, 'feature' is mere code for 'security hole'."
[...]
"With this in mind the Computer Emergency Response Team (CERT)
at Carnegie Mellon University held an ActiveX workshop this
Summer to shed some light on the issues, the final report from
which has just been published."
http://www.theregister.co.uk/content/4/15796.html
The 'final report' is a pdf file, available from this link
on the CERT site:
http://www.cert.org/reports/activeX_report.pdf
Chapter 8 of that report, titled 'Users Who Administer Their
Own Computers', and beginning on page 30, gives suggestions
for addressing the security threats posed by ActiveX on your
personal computer, the first of which is:
"Use Windows Update and Office Update regularly.
It is important to use Microsoft’s Windows Update to apply
the most recent patches provided by Microsoft. The Windows
Update mechanism [ http://windowsupdate.microsoft.com ] is
an ActiveX control downloaded from Microsoft that checks for
available updates to system files, device drivers, service
packs, and new Windows features. In addition, the patches
applied by Windows Update can disable, patch, or remove
ActiveX controls that have been found to contain security
risks. If you have Microsoft Office, you should use
Microsoft’s Office Update [ http://officeupdate.microsoft.com ]
as well because Microsoft Office contains additional
ActiveX controls that Windows Update does not maintain."
It goes on to address how to change the settings in your
browser and email client to minimize the dangers of ActiveX.
That should give you a balanced perspective on the risks
and benefits associated with ActiveX. If I left something
out, or you want to know more, just let me know.
sublime1-ga
Searches done, via Google:
"definition of activeX
://www.google.com/search?q=%22definition+of+activeX
activeX spam email
://www.google.com/search?q=activeX+spam+email
dangers activeX
http://groups.google.com/groups?q=dangers+activeX |
