Internet Explorer’s ActiveX Security Mitigations in Use

BackgroundAs a part of the July security bulletin, Microsoft yesterday released an update to mitigate a vulnerability in the “Microsoft Video” ActiveX control. This control contained a stack-based buffer overflow which could be exploited by a malicious web page. 

If you haven’t yet done so, please make sure you’ve installed the latest updates from WindowsUpdate to help keep your system secure.

The Microsoft Video control should not have been marked as safe because it wasn’t intended for use within the browser. Rather than updating the control itself, Microsoft decided to block misuse of the control via a killbit.  Killbits are simple registry flags that instruct the browser not to load the specified control. One advantage of killbits is that they can easily be set with a simple registry modification, and a “FixIt Script” that set this killbit was available on July 6th. You can learn more about the killbit mechanism over on the SRD Blog (Part 1, Part 2, Part 3).

ActiveX Mitigations by IE Version

The Video ActiveX vulnerability was extremely serious for IE6 users because that browser version provides no protection against this exploit unless the killbit is applied.

In contrast, IE7 users had some protection against exploitation of this vulnerability.  IE7 includes the ActiveX Opt-in feature which disables most ActiveX controls (including this one) by default.  IE7 users on Vista also benefit from Protected Mode, which helps prevent the installation of malicious software, even in the event that an exploit results in code execution.

Beyond Protected Mode and ActiveX Opt-in, IE8 users benefitted from additional protections that help to mitigate vulnerabilities like this one. IE8 includes the per-site ActiveX feature, which extends ActiveX Opt-in by preventing controls that are permitted to run on one site from running automatically on other sites. More importantly in this case, DEP/NX memory protection is enabled by default for IE8 users on Windows XP SP3, Windows Vista SP1+, and Windows 7.  DEP/NX helps to foil attacks by preventing code from running in memory that is marked non-executable.  DEP/NX, combined with other technologies like Address Space Layout Randomization (ASLR), make it harder for attackers to successfully exploit certain types of memory-related vulnerabilities, including this one.

Security is a Journey

Unfortunately, attackers are always on the lookout for vulnerable code, and Microsoft is currently investigating a vulnerability recently discovered in the Microsoft Office Web Components (OWC) ActiveX controls. Until an update is available, users can help prevent exploitation of the vulnerability by running the FixIt Script that killbits the vulnerable OWC controls.

No Easy Answers

When talking to customers, I’m often asked: “ActiveX controls often have problems. Why not release a version of Internet Explorer without ActiveX?

It’s a reasonable question, and it goes back to my point that “security is usually easy, it’s the tradeoffs that are hard.” End-users or IT administrators can easily disable ActiveX in all versions of IE in just a few seconds: click Tools > Internet Options > Security > Custom Level… and change the “Run ActiveX controls and plug-ins” setting to “Disable.” Alternatively, IE7 and IE8 users can launch Internet Explorer in No Add-ons mode using the Start Menu shortcut. Unfortunately, many sites depend on the rich capabilities provided by add-on technologies like ActiveX, and those sites will not work as well, or at all, if ActiveX is disabled. Users and administrators can more tactically disable unwanted controls using Manage Add-ons or Group Policy, reducing attack surface as much as possible.

While we continue to evangelize best-practices for developing secure add-ons, we strongly encourage users and organizations to upgrade to IE8.  IE8 offers a robust set of mitigations against exploitation of vulnerable controls, helping keep your systems secure.

Thanks for reading!

-Eric Lawrence

Comments (26)

  1. monix says:

    Do the Netscape/mozilla plugins work in IE?

    Those np*.dlls

  2. Blake Ross says:

    @Monix: duh, no. Netscape threatened to sue MS for NP*.dll support so MS had to pull that years and years ago.

  3. @Monix: Netscape plugin DLLs do not work (by default) in IE. There’s an old ActiveX control (I don’t know if it’s maintained anymore) which can be used to load NPAPI controls, but it’s not very useful for anything.

  4. 8675309 says:

    i had been having problems with protect mode in vista ie8 but it was releated to flash being set to allow all sites(around the time i installed an hp/haugeppauge expresscard tv tuner) so i reset flash activex control to block all & now all the sites that i want are approved & 1’s i dont arent would have been nice if it would have reset apon me reinstalling flash

  5. Ian says:

    @EricLaw – I realize your catch-22 here with ActiveX controls providing almost unlimited power to create cool things (good) yet at the same time providing an almost unlimited attack surface (since very few users disable ActiveX)

    In a perfect world what type of sandboxing restrictions would you like to see applied to ActiveX controls within the browser to help mitigate future attacks?

    e.g. Specific security flags:

    – ActiveX plugins can access your local filesystem? [NO]

    – ActiveX plugins can launch new browser windows? [NO]

    – ActiveX plugins can access other tabs in my browser? [NO]

    – ActiveX plugins can access my browser history? [NO]

    I realize that all plugin/addon/extension models in browsers are a concern vector in browser security but when I step through the install process of adding a Firefox extension I find it much more comforting and trustworthy.  Even the 3 second delay before I can actually do an install is great for the click-happy web users these days that might be fooled into accepting a plugin install prompt.

    On a side note (since I believe you are familiar with some of this) is there an option in Windows Media Player that controls whether a movie can launch a URL in the browser?

    I get very frustrated using WMP to view videos when the sneaky publisher has injected links that launch browser windows (usually to hacker, poker or porn sites).  Not only do I not want any of that garbage, but they usually launch in IE windows which disrespects my preferred browser choice which makes me even more mad that I’m being "abused".

    I take it that whatever fixes this in WMP would also fix the plugin bit that plays inline in my browser… correct?


  6. I’ve already installed the new update.

    What time frame shall we expect an update to be available to fix the newly discovered vulnerability in the Office Web Components ActiveX controls?

  7. Webkit says:

    IE and Siverlight just became even more irrelevant. This is the death of IE and Silverlight.

  8. EricLaw [MSFT] says:

    @Ian: Protected Mode already enforces security restrictions on ActiveX controls and other content that help prevent writing of the file system, registry, etc.  For the other things you’ve cited: access to these resources is one of the primary reasons that most ActiveX add-ons are written in the first place, so disabling them would be functionally equivalent to disabling ActiveX in the first place.  All popular browsers support unrestricted native code extensibility, using either ActiveX or NPAPI.  

    IE doesn’t even show an ActiveX install prompt by default– it shows the information bar and it takes two clicks to even get to the prompt. SmartScreen filter is used to scan for malicious ActiveX install points, and hence the number of actually malicious controls is quite low.  

    As to the WMP question: I believe it depends on the version, but in my version, the Options inside Tools / Options / Security allow me to disable the player’s ability to run script, etc.

    @Quality Directory: Are you asking questions primarily as a means of SEO for your link?  As noted in the post, you can use the FixIt Script now. In terms of a formal update, I’m that depends on what the Office team’s investigation turns up and when they prepare a patch. I do not have insight into other teams’ patches.

  9. @EricLaw: I don’t ask questions here as a means of SEO for my link. My main purpose of visiting is to read and learn how new features of IE work, but not for SEO. I have a small computer company and write computer-related articles for my users. For me to write well, I need an inside view.

  10. Harry Richter says:

    @ EricLaw

    Why not use rel="nofollow", like e.g. Wikipedia for the links in this blog?

    …thus we might get rid of some of the spam in this blog!



  11. billybob says:

    Just wondering if you have any plans to support or work with Google on Native Client?  It seems to fix all of the security problems of ActiveX.

    The CSS3 Snow Stack looks cool if you have time…

  12. Ian says:

    billybob: roflmao! Yes, Native Client is magically secure because Google made it!

    "Given the sheer volume of security failures found in all of Google’s client-side applications [that] we have assessed, we find it unlikely that Google has suddenly found a silver bullet," Hansen says.

  13. billybob says:

    Exactly!  We all that Microsoft knows everything about security.

    That is why I asked if Microsoft were working with them to help make it as secure as possible.  With Google and Microsoft working on a solution, we can have a secure, standards-based solution that everyone likes.  It would be great for the web and everyone who uses it.

    Personally I am getting slightly tired of virus-scanners, blacklists and ActiveX killbits.  Is the future really based on constantly updating blacklists?  10 years of experience has taught me that blacklists are a bad idea and rarely work.

    Obviously it is too much to hope that anyone at Microsoft can step outside their microcosm and work with the rest of us in the industry.  Instead we can look forward to a future of polarization.  The standards-based way, and the Microsoft way.  We see how well that has served businesses who are now locked into ActiveX and IE6.

    That article does not mention Native Client at all, but concentrates on privacy problems in the web application.  Native Client is designed so that you can run exes from the web without worrying that they are going to take over your machine.  That is different to XSS and privacy problems.  Dave Marcus clearly does not know about it or understand it, his quote is laughable and based on the Microsoft definition of running code.

  14. Ian says:

    Billybob: You clearly have no idea what you’re talking about. Either you didn’t read the article, or you didn’t understand it: the point is that Google has a lousy track record on security. When an exec makes "idiotic" claims (BruceS’s words, not mine) that their product was "Designed for security" they deserve our scorn, not our trust.

  15. Spider says:

    Thanks and greetings from Germay

  16. billybob says:

    You are saying that anyone who tries to write a secure operating system deserves our scorn?  I say encourage them.  Hopefully they will succeed where Microsoft failed.

    I read the article but there were no details or facts there at all, maybe as a community of IT professionals we should look at the facts and track record of security before deciding which company to give our scorn and distrust.  Maybe you could list the top 3 Google security blunders and I can compare them to Microsoft’s.

    Maybe you could comment on some of the technical aspects of Native Client and maybe explain how it is so idiotic?  Or maybe you do not understand anything but blacklists for security?

  17. Steve Rath says:

    Is there a way to detect Silverlight without using CreateObject() to test for it?

  18. EricLaw [MSFT] says:

    @BillyBob: Google’s NativeClient doesn’t attempt to compete with ActiveX. NativeClient aims to compile native x86 code using specially designed compiler-enforced and runtime-verifiable code-generation restrictions.

    The hope is that such code cannot undertake operations that have side-effects on the system. NaCl is somewhat similar to Microsoft Research’s Xax project:

    In contrast, ActiveX is primarily used in scenarios where side-effects on the system are desirable; in other cases, JavaScript is used. Neither Xax nor NativeClient is capable of replacing ActiveX in the vast majority of use-cases.

    @Steve: To reliably detect SilverLight, you’d need to actually try to create the object. Keep in mind, of course, such creation will fail if the object is disabled, even if otherwise present.

    It would be interesting if the SilverLight team put its version info in the Version Vector registry key, as that would allow you to test for SilverLight using Conditional Comments, but that has not yet happened as far as I know.

  19. billybob says:

    Eric, can you please explain a few use-cases which Xax/NaCl is not suitable for (maybe in a different post)?  The Xax page says that almost anything is possible from 3D acceleration to speech synthesis.  It also says it has support for legacy code.

    P.S. Will your version of Silverlight detection also detect Moonlight?  I have never seen a Silverlight movie work with Moonlight because of detection problems.  It is very annoying as a user and probably not what the developer intended.

  20. we’ve already installed the update, thansk for the information and best regards from Tom from germany

  21. EricLaw [MSFT] says:

    @billybob: I cannot effectively summarize an entire research project in a comment box. The general point is that ActiveX is typically designed to provide greater access to the system than is allowed in the web security model, while Xax and NaCL are both generally designed to enforce the web security model on native x86 code. As soon as you add "back doors" to allow such methods more access to the system, you’re effectively reinventing ActiveX in the general sense.

    WRT Silverlight, I’m not sure exactly what you’re asking. Moonlight, AFAIK, is an implementation of Silverlight which runs in non-IE browsers on non-Windows platforms. Conditional Comments are an IE feature, if that’s what you’re asking.

  22. billybob says:

    What I was asking about Silverlight was is there a standard method to detect Silverlight or Moonlight on any supported system?  Do these plugins expose a common browser object?

    Otherwise we will have to go back to browser and OS sniffing and update every time a new independent Silverlight implementation is released.  It will be worse than checking for IE vs Netscape.

    If I were designing a new safe system from scratch, I would ban back doors which circumvent any security measures in place, there is no reason why web applications need direct access to the system files, except Windows Update and virus scanners, both of those could be implemented as a standard system binary without the extra security validations.

  23. Ian says:

    From your remarks, "billybob", it’s a safe bet you won’t be designing any systems any time soon.

  24. I have installed the update an it seems to work for me. Thanks for sharing this.

  25. Mike says:

    I was attempting to upload some pictures to Facebook which I recently joined and it tells me to click on the activex controls tab at the top of the page. There is no ActiveX controls tab and it knocks me off of the webpage. It says Internet Explorer has closed this webpage to protect your computer

    A malfuntioning or malicious add on has caused Internet Explorer to close.

    Is this the problem youare talking about here ? I’m not really computer savy .

  26. EricLaw [MSFT] says:

    @Mike: This suggests that perhaps you have an older version of the Facebook control installed. Check inside Tools / Manage Addons to see. If you find one, you might want to uninstall it and install the new one.

    What version of IE and Windows are you using?