Hacking the Internet user:Malicious mobile code

• Microsoft ActiveX (Active X controls have the file extension.ocx)

  • similar to OLE let an object be embedded in a page using the <object> tag
  • When IE finds a page with a control, it checks the Registry to find out if the control is available, if it is IE displays the page and runs the control
  • If it is not, IE uses Authenticode to check the author (Verisign role) and download the control. Finally IE displays the page and runs the control
  • “Safe for Scripting”: Authenticode is not used with these controls, malicious Web sites may explore as a vulnerability. Easy to mark as such. Countermeasures:
    • apply patches for Scriptlet/Eyedog and OUA (Office 2000 UA).
    • Set macro protection to High in Tool/Macro menu in Office.
    • restrict or disable ActiveX, using security zones
  • Using security zones: IE has five predefined zones: Internet, Local Intranet, Trusted Sites, Restricted Sites, and My Computer.
    • Internet zone: disable ActiveX controls, enable per-session cookies and file download, and set scripting to prompt.
    • Trusted Sites: assign medium security and add sites you can trust to run ActiveX controls, e.g. Microsoft sites.

Previous slide

Next slide

Back to first slide

View graphic version