Yet another reason to not use Internet Explorer
usrbingeek | Aug 12, 2008 | 0 comments
Symantec is reporting that Internet Explorer users that don’t have an vulnerable ActiveX control are still vulnerable to an attack as attackers have found a way to install the control.
Because the control is Microsoft signed, its installation is silent, and does not require any user interaction. Once this vulnerable control is installed on the victim’s computer, it is exploited in the same way as if the control was installed all along. To top it off, this attack is carried out as a drive-by attack, so the unprotected user may never know that they were vulnerable, or had been targeted, let alone infected.
While this silent installation ability obviously poses some interesting security considerations, it is actually fairly core to ActiveX operation. For example, a site that wants to provide an Access report for its users may want to install the trusted control and permit the users to simply view the report. This would provide a cleaner experience for the site’s users, rather than forcing them to go to the Microsoft site to download and install the control.
While this silent installation ability obviously poses some interesting security considerations, it is actually fairly core to ActiveX operation. For example, a site that wants to provide an Access report for its users may want to install the trusted control and permit the users to simply view the report. This would provide a cleaner experience for the site’s users, rather than forcing them to go to the Microsoft site to download and install the control.
Lovely. Why do people still insist on using Internet Explorer?
[ActiveX Vulnerabilities: Even When You Aren't Vulnerable, You May Be Vulnerable]
Filed Under: Tech News
