Table Of Content

Auditing ActiveX Controls Cesar Cerrudo Independent Security Researcher/Consultant Outline ¥ ActiveX definition ¥ ActiveX security ¥ Auditing ActiveX ¥ Demo ¥ Preventing ActiveX exploitation ¥ References ActiveX control Basically an ActiveX Control (formerly known as OLE control) is software based on the Component Object Model(COM). ActiveX controls are portable and reusable and can be used in many programming and scripting languages. They are widely used by web based applications to extend their functionality (ie: Windows Update site, etc.). ActiveX security ¥ ActiveX security is most based on (cid:210)trust(cid:211) — If you trust the author. — If you trust IE. — If you trust the site, etc. ¥ No sandbox to restrict access to system resources. ¥ Once an ActiveX is run it can perform any action on the system. ActiveX security ¥ ActiveX controls can be signed or unsigned — Signed doesn(cid:213)t mean that the control is safe. — Signing only helps to identify the control(cid:213)s author and that the control wasn(cid:213)t modified. — Ignored when controls are not installed from Internet Explorer. ActiveX security ¥ ActiveX controls can be marked as safe — Again, this doesn(cid:213)t mean that the control is safe. — By the existence of some registry subkeys: subkey {7DD95801-9882-11CF-9FA9- 00AA006C42C4} means safe for scripting, subkey {7DD95802-9882-11CF-9FA9- 00AA006C42C4} means safe for initialization. — By IObjectSafety interface. ActiveX security ¥ ActiveX controls can be restricted to run only under specific domains — Using SiteLock template or custom code. — After the control is run the actual URL is checked against allowed domains, if it doesn(cid:213)t match, execution can be aborted. — Can be easily defeated by XSS and IE cross domain issues. ActiveX security ¥ ActiveX security options can be set on IE — ActiveX execution can be restricted. — Restrictions can be bypassed by exploiting XSS or IE cross domain issues on trusted sites, exploiting IE cross zone issues. What about a J XSS on Microsoft.com ActiveX security ¥ Conclusion — ActiveX security mechanisms only help to mitigate risks, they don(cid:213)t prevent. — ActiveX controls can be abused bypassing security mechanisms. — A (cid:210)really safe(cid:211) ActiveX should not perform any dangerous action on the system and be vulnerability free. — ActiveX controls are dangerous. Auditing ActiveX (why?) ¥ To perform QA. ¥ To detect security vulnerabilities. ¥ To check if a control is (cid:210)really safe(cid:211). ¥ Sometimes people are forced to run ActiveX controls because they are used by (cid:210)must use(cid:211) applications, auditing could J help you to sleep better at night .

Description:

ActiveX controls can be signed or unsigned. – Signed doesn't mean that the control is safe. – Signing only helps to identify the control's author and that

Auditing ActiveX Controls PDF

29 Pages·2004·0.46 MB·English

by Ping Look

Checking for file health...

Download

Upgrade Premium

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Download Auditing ActiveX Controls PDF Free - Full Version

by Ping Look| 2004| 29 pages| 0.46| English

Download Auditing ActiveX Controls by Ping Look in PDF format completely FREE. No registration required, no payment needed. Get instant access to this valuable resource on PDFdrive.to!

Free Download PDF

About Auditing ActiveX Controls

ActiveX controls can be signed or unsigned. – Signed doesn't mean that the control is safe. – Signing only helps to identify the control's author and that

Detailed Information

Author:	Ping Look
Publication Year:	2004
Pages:	29
Language:	English
File Size:	0.46
Format:	PDF
Price:	FREE

Download Free PDF

Safe & Secure Download - No registration required

Why Choose PDFdrive for Your Free Auditing ActiveX Controls Download?

100% Free: No hidden fees or subscriptions required for one book every day.
No Registration: Immediate access is available without creating accounts for one book every day.
Safe and Secure: Clean downloads without malware or viruses
Multiple Formats: PDF, MOBI, Mpub,... optimized for all devices
Educational Resource: Supporting knowledge sharing and learning

Frequently Asked Questions

Is it really free to download Auditing ActiveX Controls PDF?

Yes, on https://PDFdrive.to you can download Auditing ActiveX Controls by Ping Look completely free. We don't require any payment, subscription, or registration to access this PDF file. For 3 books every day.

How can I read Auditing ActiveX Controls on my mobile device?

After downloading Auditing ActiveX Controls PDF, you can open it with any PDF reader app on your phone or tablet. We recommend using Adobe Acrobat Reader, Apple Books, or Google Play Books for the best reading experience.

Is this the full version of Auditing ActiveX Controls?

Yes, this is the complete PDF version of Auditing ActiveX Controls by Ping Look. You will be able to read the entire content as in the printed version without missing any pages.

Is it legal to download Auditing ActiveX Controls PDF for free?

https://PDFdrive.to provides links to free educational resources available online. We do not store any files on our servers. Please be aware of copyright laws in your country before downloading.

The materials shared are intended for research, educational, and personal use in accordance with fair use principles.