ad info
   personal technology

 custom news
 Headline News brief
 daily almanac
 CNN networks
 CNN programs
 on-air transcripts
 news quiz

CNN Websites
 video on demand
 video archive
 audio on demand
 news email services
 free email accounts
 desktop headlines

 message boards




Hacker ruse can exploit ActiveX Controls

September 6, 1999
Web posted at: 12:39 p.m. EDT (1639 GMT)

by Ellen Messmer

Network World Fusion
hacker graphic
   Insurgency on the Internet

   Sign up for the Computer Connection email service

   For more computing stories

(IDG) -- If you're using Microsoft Outlook Express in Internet Explorer 5.0 for e-mail and you don't disable the ActiveX Controls feature, someone could send you a message that could wipe the files off your hard drive or put a new file onto it.

Bulgarian computer consultant Georgi Guninski recently showed how the deceit can be done by embedding malicious script in an Internet mail message that can delete files while the victim is reading the message with Microsoft Outlook Express. This exploit takes advantage of ActiveX Controls, Microsoft's technology for executing a program on the Web, and doesn't appear to work with Internet Explorer 4.0.

"What Georgi did was create the 'nuclear e-mail message,' " claims Richard Smith, president of Cambridge, Mass., tools developer Phar Lap Software, who has kept close track of the security implications of ActiveX since Microsoft started developing the technology in the early 1990s.

"We have been anticipating something like this for years. In theory, it's no longer safe to read e-mail if you use Outlook Express," he says. "When you hear about browser exploits, think e-mail, too."

  Network World Fusion home page
  Free Network World Fusion newsletters
 Reviews & in-depth info at
 *'s bridges & routers page's hubs & switches page
 *'s network operating systems page's network management software page
  Year 2000 World
  Questions about computers? Let's editors help you
  Subscribe to's free daily newsletter for network experts
  Search in 12 languages
 News Radio
 * Fusion audio primers
 * Computerworld Minute

In his presentation at the Usenix security conference, Smith explained how Guninski's ploy works. The Outlook Express e-mail viewer reads HTML by default with Internet Explorer 5.0.

Guninski's "nuclear e-mail" takes advantage of an ActiveX Control called "Object for constructing type libraries for scriptlets," or "Scriptlet Type Lib" for short, that ships as part of Internet Explorer 5.0.

In this case, Guninski's malicious code instructs Internet Explorer 5.0's ActiveX Control to wipe out an entire hard drive if the attacker drops an executable to do so. The trick also can add files to the user's hard drive, regardless of the Microsoft browser's security settings.

"Microsoft has shipped from the factory an ActiveX Control marked 'safe for scripting,' which it shouldn't have," Smith says. For its part, Microsoft last week acknowledged the problem, although the company did not make its technical staff available to talk about it. A company spokeswoman did acknowledge the vulnerability means "you can drop an executable file into the system to do whatever you want. It could do anything."

Microsoft issued a statement advising users concerned about the problem to disable ActiveX Controls until the company releases a patch for its browser.

Guninski works as a security consultant for Netscape, which is now part of America Online. A spokeswoman there says Guninski was hired to review present and future Netscape products after discovering security problems in Netscape Communicator earlier this year. But she and Guninski denied Netscape was paying Guninski to crack Microsoft products.

The ActiveX e-mail escapade is just the latest in a long line of troubles associated with the technology, asserts Smith, who says about a dozen other ActiveX Controls written by Microsoft also need to be fixed.

Microsoft provides the tools to let others - both the good guys and the bad guys - write ActiveX Controls. Smith says he is concerned that ActiveX Controls are proliferating in a way largely unknown to users, as the Controls ship with a growing number of laptop, computer and software applications.

"These preinstalled ActiveX Controls are the ones I see as very dangerous," Smith says. "Active Controls are pretty difficult to write, and these are written by the good guys. I'm talking about Controls you never have the option not to install - I call them 'accidental Trojans.' "

For instance, the Hewlett-Packard Pavilion laptop comes with an ActiveX Control called "Launch," designed to be used with the HP "System Wizard" for system diagnostics. Smith thinks it offers a back door into the laptop.

Kodak's imaging software that ships with Windows 98 has a Control to override files. It looks like a GIF file in the directory, but it's actually an unsafe ActiveX Control, Smith contends. A Toshiba laptop Smith looked at came with about 1,000 preinstalled ActiveX Controls.

To locate ActiveX Controls, Microsoft makes a tool called OLE View, part of the Visual Studio and Visual C++ developer's kits.

Smith says that he and his colleagues have not found a large number of ActiveX Controls embedded on public Web sites, probably because of the numbers of users still running a Netscape browser, which doesn't run ActiveX, he surmises.

Insurgency on the Internet

Federal agency recruits hacker teens
August 26, 1999
Hackers, IT consultants embrace free security tool
August 13, 1999
Hacking your way to an IT career
August 13, 1999

ActiveX security glitch found in Explorer 5.0
Report charges that NSA may have backdoor to Windows
Dangerous security bug hits Microsoft's Java virtual machine
(InfoWorld Electric)
Major U.S. companies hit by Explorer 'worm'
Excel driver opens Office 97 security hole
(InfoWorld Electric)
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.

Microsoft Security Bulletin: ActiveX Controls FAQ
Microsoft Security Bulletin: Patch available for ActiveX
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.
Enter keyword(s)   go    help

Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.