[VIM] fyi Milw0rm ActiveX controls insecure methods by t0pP8uZz

[Steven M. Christey]

On Fri, 9 May 2008, str0ke wrote:

> The researcher stated that Rob was correct and that he had IE mis
> configured on his end.

... and probably an extremely common misconfiguration, I'd bet:

1) in the Internet zone, the user might have set "Enable" or "Prompt" for
the "Initialize and script ActiveX controls not marked as safe for
scripting" setting, e.g. to let some OTHER control work correctly.

2) In the Trusted zone, this is probably more likely to be set to prompt
or enable.

3) Wouldn't malware think it was fun to change this setting?  And, more
importantly - if an AV product knew that malware did/does this, how would
it know which value to set it back to?

I bet that if someone somewhere did an investigation on browser settings
for scripting, there would be a relatively high percentage that have
unsafe values.

So this seems to me like something similar to requiring that
register_globals is enabled - yeah people shouldn't be doing that, but a
lot of them do.

Here's an example of a user who fixed an ActiveX problem by changing from
disable to prompt, which at least gets "user-assisted":

http://forums11.itrc.hp.com/service/forums/questionanswer.do?admit=109447626+1210350698911+28353475&threadId=1005787

Ooooh, here's an AWESOME one!  Set everything to enable!

http://www.checktraining.com/docs/general/Tech%20Support%20Manual/PDF's/ARC%20Internet%20Security%20Settings.pdf

and here:

http://www.emolecules.com/doc/mcchem_installation.htm

So anyone who uses that product would be automatically subject to other
vulnerabilities.


- Steve