Taming Internet Explorer Browser Plug-InsJune 29, 2008 – 12:01 PM
Security Fix has often lamented the lack of decent point-and-click software tools to help Microsoft Internet Explorer Web browser users kill insecure “ActiveX controls,” plug-ins for IE that have traditionally been among the biggest avenues of attack from spyware and adware. That’s why I’m pleased to call attention to a free new tool called “AxBan,” which helps neuter insecure ActiveX plug-ins installed by some of the most widely used third-party software applications.
ActiveX is a Microsoft creation woven into both IE and the Windows operating system. It was designed to allow Web sites to develop interactive, multimedia-rich pages. However, such powerful features rarely ever come without security trade-offs.
Poorly designed ActiveX controls can be an extremely potent weapon for cyber crooks, since most ActiveX controls distributed with third party software are marked “safe for scripting.” This means that they will run when invoked and without requiring the user’s permission. As a result, any Web page can use the control and its methods, which in many cases includes the ability to download and execute potentially hostile code.
Not only are ActiveX vulnerabilities frequently targeted by hackers, they are among the most common browser-related vulnerabilities. In its latest Internet Security Threat Report, Symantec documented some 239 new vulnerabilities in Web browser plug-ins. Plug-ins for Adobe Acrobat, Flash, Java, Mozilla Firefox, QuickTime and Windows media player made up 21 percent of those, while the rest were all ActiveX related vulnerabilities.