Search the national vulnerability database (http://nvd.nist.gov/nvd.cfm) for medium and high severity vulnerabilities involving “ActiveX”. You would find dozens of examples in 2008 alone that could enable a hacker to “own” one or more endpoints in your organization. Hackers can use these to steal information from your PCs, infect others, and steal data from whatever servers those PCs interact with. Good news: you can do something about it!

What is ActiveX and why should you care? ActiveX provides rich functionality to millions of end-users every day, and they may not even know it. End-users do not click on them or launch them from the “Start” menu. Instead, the familiar applications that they use everyday launch them. That’s right; it’s not just Internet Explorer. You would find many other vendor applications listed in your ActiveX search results from the National Vulnerability Database. BTW, technically, ActiveX applets and functions are called “controls”.

So, now you might ask yourself, do I have the most up-to-date versions (i.e., security vulnerabilities patched) of all of those dozens of dll and ocx ActiveX “controls” on all of my endpoints? Which of the applications on my endpoints use ActiveX? If I could disable ActiveX completely, would my help desk get swamped with trouble tickets? Are any mission critical capabilities dependent upon ActiveX? Earlier this year, many federal agencies disabled ActiveX on a sampling of their PCs. The test results were too disruptive to do so agency-wide without considerable effort to facilitate alternatives.

ActiveX is deeply rooted in many organizations. What can be done when these vulnerabilities are reported? Vendors provide patches (i.e., revised ActiveX “controls”) to eliminate these ActiveX vulnerabilities. Until they are available for download, the vendors frequently advise desktop administrators to employ prescribed “kill bits” that can be used to temporarily disable the vulnerable ActiveX “control”. These “kill bits” represent Windows registry edits. After the patches are available, these edits must be undone. BTW, most administrators do not have tools that can implement “kill bits” on off-enterprise PCs. It would be interesting to know what percentage of desktop administrators are using what existing tools to implement “kill bits” for on-enterprise endpoints.

There are 3rd party products that take on the risks from ActiveX “controls”. Ideally, such host intrusion prevention system (HIPS), “sandbox”, and other products should not require that each ActiveX “control” be known or listed to protect the host. Also, the level of effort to deploy and maintain it MUST be carefully assessed. Remember, to consider the volume of any false positives that must be reviewed in the logs and the IT skill requirements of personnel using the products. Some products ultimately require their administrators to be thoroughly familiar with the idiosyncrasies of the client applications on their endpoint population. These products should not confuse end-users or administrators with technically obscure ‘do you want to allow this’ questions. Many vendors overcome these technical complexities by offering subscription based support. Be sure to factor that into your total cost of ownership comparison amongst different products. Lastly, because “stuff” happens on any given week with many endpoints off-enterprise, any product that fails to offer practical policy updates to off-enterprise endpoints should be disqualified from consideration.

Well, with ActiveX comes great convenience, but with that comes security risks. There are several ways to mitigate these risks. Some offerings are far more effective and practical than others. Shop around!

Posted: Friday, August 1st, 2008 - Endpoint Security
RSS 2.0 - Comment - Trackback