Re: ActiveX security hole reported.

• To: garym@softshore.com.au (Gary Meltzer)
• Subject: Re: ActiveX security hole reported.
• From: Stephen Cobb <stephen@iu.net>
• Date: Wed, 14 Aug 1996 09:54:26 -0400
• Cc: www-security@ns2.rutgers.edu

Re: an ActiveX control which "crashes" windoze95...

Stephen Cobb: Yes, it works, turns off the machine...quite impressive.

Gary Meltzer: 
>Which part do people find the most impressive? -
>that the Win95 shutdown API works as documented
>or that all these security experts are downloading and running
>software designed to do something they don't want?

It is my personal opinion, as a security professional (I do not claim the
title "expert") that Microsoft has consistently under-estimated both the
problem of malicious programming and the need that "ordinary" PC users have
for secure, reliable systems (ordinary users get Windows 95 with all its
holes, for those who are "particularly concerned" about security and
privacy, Microsoft recommends NT). 

In short, when it comes to security, Microsoft does not "get it". Now, I
know that there are plenty of talented people at Microsoft who understand
security, so when I say "Microsoft does not get it" I mean Microsoft as
embodied in the company's actions, products, and statements to date.

An example is the persistent use of the terms "harmless" and "prank" when
referring to macro viruses. Last fall Microsoft was roundly criticized for
referring to the winword.concept macro virus as "harmless." Now they are
doing the same thing with the Laroux Excel virus. Just because a virus does
not have a destructive payload does not mean it is harmless. Indeed, at
least one study indicates that the bulk of the cost of viruses to companies
comes from the disinfection process, not the payload. I have personally
spoken to IS managers who have several thousand machines infected with the
winword.concept virus and so far, a foolproof, automated disinfection
program does not exist, which means a lot of labor intensive cleanup work to
rid the company of the virus (given that spreading viruses, however,
"harmless" to clients and business partners is currently considered
unacceptable corporate practice).

So how does this relate to the ActiveX Exploder that performs an orderly
announced system shutdown? Well, if Microsoft's track record is a less than
adequate level of concern about code abuse, an Exploder that performs an
unannounced, non-orderly shutdown, with an attendant loss of data integrity
and availability, is at least a possibility. Consequently I am telling
companies that this is something they should consider carefully before
allowing the use of browsers that support ActiveX.

>How does this control differ from an HTML page that tells
>readers to turn the power switch off?

Good point. This particular excample is rather like a social enineering
attack in which a person pretending to be an MIS support manager calls up a
user and tells them to turn off their PC. It is future malicious iterations
of this attack that companies need to worry about. Note that I say "worry
about". I am not saying that ActiveX is the end of the world, indeed, in
many respects it is way cool technology and it would be great to see it
deployed widely. But security management means being aware of the risks, and
right now I think ActiveX is risky. Exploder points to the potential for
abuse, which helps to raise awareness of the concerns that some of us have
about malicious programming

Respectfully...Stephen

• Re: ActiveX security hole reported.
• From: garym@softshore.com.au (Gary Meltzer)

• Previous: Re: ActiveX security hole reported.
• Next: Re: ActiveX security hole reported.
• Index(es):
  • Index
  • Thread