ad info




CNN.com
 MAIN PAGE
 WORLD
 ASIANOW
 U.S.
 LOCAL
 POLITICS
 WEATHER
 BUSINESS
 SPORTS
 TECHNOLOGY
   computing
   personal technology
   space
 NATURE
 ENTERTAINMENT
 BOOKS
 TRAVEL
 FOOD
 HEALTH
 STYLE
 IN-DEPTH

 custom news
 Headline News brief
 daily almanac
 CNN networks
 CNN programs
 on-air transcripts
 news quiz

  CNN WEB SITES:
CNN Websites
 TIME INC. SITES:
 MORE SERVICES:
 video on demand
 video archive
 audio on demand
 news email services
 free email accounts
 desktop headlines
 pointcast
 pagenet

 DISCUSSION:
 message boards
 chat
 feedback

 SITE GUIDES:
 help
 contents
 search

 FASTER ACCESS:
 europe
 japan

 WEB SERVICES:
COMPUTING

Hacker ruse can exploit ActiveX Controls

September 6, 1999
Web posted at: 12:39 p.m. EDT (1639 GMT)

by Ellen Messmer

From...
Network World Fusion
hacker graphic
 ALSO:
   Insurgency on the Internet

   Sign up for the Computer Connection email service

   For more computing stories
imageMESSAGE BOARDS:
Microsoft
 

(IDG) -- If you're using Microsoft Outlook Express in Internet Explorer 5.0 for e-mail and you don't disable the ActiveX Controls feature, someone could send you a message that could wipe the files off your hard drive or put a new file onto it.

Bulgarian computer consultant Georgi Guninski recently showed how the deceit can be done by embedding malicious script in an Internet mail message that can delete files while the victim is reading the message with Microsoft Outlook Express. This exploit takes advantage of ActiveX Controls, Microsoft's technology for executing a program on the Web, and doesn't appear to work with Internet Explorer 4.0.

"What Georgi did was create the 'nuclear e-mail message,' " claims Richard Smith, president of Cambridge, Mass., tools developer Phar Lap Software, who has kept close track of the security implications of ActiveX since Microsoft started developing the technology in the early 1990s.

"We have been anticipating something like this for years. In theory, it's no longer safe to read e-mail if you use Outlook Express," he says. "When you hear about browser exploits, think e-mail, too."

MORE COMPUTING INTELLIGENCE
IDG.net   IDG.net home page
  Network World Fusion home page
  Free Network World Fusion newsletters
 Reviews & in-depth info at IDG.net
 *   IDG.net's bridges & routers page
  IDG.net's hubs & switches page
 *   IDG.net's network operating systems page
  IDG.net's network management software page
  Year 2000 World
  Questions about computers? Let IDG.net's editors help you
  Subscribe to IDG.net's free daily newsletter for network experts
  Search IDG.net in 12 languages
 News Radio
 * Fusion audio primers
 * Computerworld Minute
   

In his presentation at the Usenix security conference, Smith explained how Guninski's ploy works. The Outlook Express e-mail viewer reads HTML by default with Internet Explorer 5.0.

Guninski's "nuclear e-mail" takes advantage of an ActiveX Control called "Object for constructing type libraries for scriptlets," or "Scriptlet Type Lib" for short, that ships as part of Internet Explorer 5.0.

In this case, Guninski's malicious code instructs Internet Explorer 5.0's ActiveX Control to wipe out an entire hard drive if the attacker drops an executable to do so. The trick also can add files to the user's hard drive, regardless of the Microsoft browser's security settings.

"Microsoft has shipped from the factory an ActiveX Control marked 'safe for scripting,' which it shouldn't have," Smith says. For its part, Microsoft last week acknowledged the problem, although the company did not make its technical staff available to talk about it. A company spokeswoman did acknowledge the vulnerability means "you can drop an executable file into the system to do whatever you want. It could do anything."

Microsoft issued a statement advising users concerned about the problem to disable ActiveX Controls until the company releases a patch for its browser.

Guninski works as a security consultant for Netscape, which is now part of America Online. A spokeswoman there says Guninski was hired to review present and future Netscape products after discovering security problems in Netscape Communicator earlier this year. But she and Guninski denied Netscape was paying Guninski to crack Microsoft products.

The ActiveX e-mail escapade is just the latest in a long line of troubles associated with the technology, asserts Smith, who says about a dozen other ActiveX Controls written by Microsoft also need to be fixed.

Microsoft provides the tools to let others - both the good guys and the bad guys - write ActiveX Controls. Smith says he is concerned that ActiveX Controls are proliferating in a way largely unknown to users, as the Controls ship with a growing number of laptop, computer and software applications.

"These preinstalled ActiveX Controls are the ones I see as very dangerous," Smith says. "Active Controls are pretty difficult to write, and these are written by the good guys. I'm talking about Controls you never have the option not to install - I call them 'accidental Trojans.' "

For instance, the Hewlett-Packard Pavilion laptop comes with an ActiveX Control called "Launch," designed to be used with the HP "System Wizard" for system diagnostics. Smith thinks it offers a back door into the laptop.

Kodak's imaging software that ships with Windows 98 has a Control to override files. It looks like a GIF file in the directory, but it's actually an unsafe ActiveX Control, Smith contends. A Toshiba laptop Smith looked at came with about 1,000 preinstalled ActiveX Controls.

To locate ActiveX Controls, Microsoft makes a tool called OLE View, part of the Visual Studio and Visual C++ developer's kits.

Smith says that he and his colleagues have not found a large number of ActiveX Controls embedded on public Web sites, probably because of the numbers of users still running a Netscape browser, which doesn't run ActiveX, he surmises.


SPECIAL:
Insurgency on the Internet

RELATED STORIES:
Federal agency recruits hacker teens
August 26, 1999
Hackers, IT consultants embrace free security tool
August 13, 1999
Hacking your way to an IT career
August 13, 1999

RELATED IDG.net STORIES:
ActiveX security glitch found in Explorer 5.0
(Computerworld)
Report charges that NSA may have backdoor to Windows
(IDG.net)
Dangerous security bug hits Microsoft's Java virtual machine
(InfoWorld Electric)
Major U.S. companies hit by Explorer 'worm'
(Computerworld)
Excel driver opens Office 97 security hole
(InfoWorld Electric)
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.

RELATED SITES:
Microsoft Security Bulletin: ActiveX Controls FAQ
Microsoft Security Bulletin: Patch available for ActiveX
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.
 LATEST HEADLINES:
SEARCH CNN.com
Enter keyword(s)   go    help

Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.