Faster, ActiveX! Kill, Kill!

If you haven't thought about ActiveX Exploitation in a while, a read-through of Warlord's January 2008 article, "ActiveX - Active Exploitation" is in order. I bring this up because the next StrikePack will feature a new strike, "Analysis: Killed ActiveX Instantiation."

As the name implies, this strike iterates through the client-side ActiveX controls that Microsoft has "killed" via the kill bit mechanism, and simulates a series of evil web pages which instantiate those controls. As of today, there are 445 kill bits set on Windows XP and Vista. These are all controls that Microsoft, in no uncertain terms, has labeled as Very Bad For Internet Explorer. If you run any of these controls, your browser will crash in horrible ways, or you risk getting commands passed directly to the shell, or your browser hands over all your personal data, or some other awful desktop fate.

Instantiating these controls is easy -- just deliver an OBJECT tag with the appropriate CLSID, reference the object with your exploitastic Javascript, and you're pretty much done. Thus, you would think that blocking these controls from instantiating in the first place would be as fundamental to malware detection as any string matching Slammer or Blaster signature.

However, informal testing of a couple devices we have around the office proved this assumption to be baseless. Rather than the forty or fifty percent detection rates I was expecting, I found rates between zero and ten percent.

Admittedly, I had low expectations to begin with, so I wasn't exactly shocked. That said, if you're in the market for a fancy expensive device that claims client-side coverage, you may want consider how that gear stacks up against vendor confirmed, publicly disclosed, easy to use browser vectors.