These well-known examples are just the tip of the iceberg for the vulnerabilities that ActiveX exposes users to. One reason is that as Microsoft fixes vulnerabilities in Windows, hackers are moving to easier targets, such as ActiveX, said Randy Abrams, director of technical education at ESET, a maker of anti-malware software. "Applications and plug-ins like ActiveX are the new low-hanging fruit so that's what's being attacked," he said.
Abrams believes that ActiveX introduces unnecessary risk in many cases, because it is typically used for nonessential purposes. "The truth is that the ActiveX problem is also based on an irrational love of fashion; it's all about adding functionality to sites and applications to make them look cool, but in actuality it's completely unnecessary," he said. "If it wasn't for this need to make things look fashionable there would be much less risk." But Abrams doesn't expect developers to throttle back ActiveX use despite its security risks: "The cat is out of the bag, and sites now compete to look visually impressive and offer better functionality."
Many developers of ActiveX-based applications do a poor job of ensuring security, notes Craig Schmugar, a threat researcher at McAfee's Avert Lab. And that threat grows as the number of ActiveX applications grows. "You can improve developer education, but hackers are likely to keep attacking the soft targets," he said.
It's also become easier for hackers to find ActiveX's flaws, thanks to the broad availability of fuzzing tools. "The publicly available fuzz testing tools for ActiveX make it relatively simple to find new vulnerabilities and controls to go after, so people are able to research how exploitable certain applications may be before writing their attacks," said Carnegie Mellon's Dormann. "People are finding new holes all the time and posting them to public mailing lists," he added.
"One of the most telling things to look at with ActiveX is that security researchers delving into these problems don't get a lot of respect within the vulnerability research community itself," Schmugar noted. "That's mostly because with the sheer number of holes, and all the available fuzzing tools, people look at it like shooting fish in a barrel."
IE7 improvements should help over time
Microsoft is well aware that ActiveX is both a big target for hackers and one that they can successfully attack. So the company has re-architected its Internet Explorer Web browser in version 7 to limit the scope of well-known attacks methods. Researchers say that the work should eventually produce dividends.
For example, the original implementation of ActiveX in IE6 and previous versions exposed binaries to any page visited by users. By contrast, IE7 provides far less access to sites and applications, preventing malware authors from activating code that would let them hack the browser.