Unit 2 Discussion
NOTE: I’m trying a little bit of an “experiment” with how I’m formatting this discussion board response. If this is too distracting (or even just plain improper) feel free to point this out to me, and I’ll relegate this “idea” to the proverbial “scrap heap.” 
Anyway, here we go…
Many security experts are concerned about Microsoft’s ActiveX controls and how they can be used by attackers. In response, Microsoft has created a system that it claims will authenticate and verify the controls. Using the Web, research the debate over ActiveX controls and analyze Microsoft’s security design. Is it strong enough? What security breaches have occurred in the past regarding ActiveX controls?
A Quick Introduction To ActiveX:
ActiveX is a web browser extension technology created by Microsoft with the intention of providing a method for web pages to provide levels of interactivity with the Windows operating system and the computer user that were otherwise not possible (or very easy to accomplish) at the time of ActiveX’s introduction to Internet Explorer in 1996. While many of us may just take ActiveX for granted, it is important that we realize that those of us who use Windows operating systems use ActiveX in some form or another almost on a daily basis. For instance, when we visit Windows Update or Microsoft Update on a Windows XP system, Internet Explorer uses ActiveX to allow the web site to determine which updates we can (and need to) install. Also, as another example, for those of us who are taking (or have taken) the CIS150 or CIS151 courses on Moodle, when we view the “Multimedia Lecture” videos in Internet Explorer, an ActiveX control is being used to display the video in the browser.
Why ActiveX Is A Security Concern:
The very founding concepts of ActiveX, sadly, make it a great concern for those of us interested in Network Security. As ActiveX’s “mission” is to provide web-based programs with access to certain system-level functions (such as, for example, the ability to silently download and install files on the computer, without the computer user being aware of this activity), ActiveX controls (when programmed by people with nefarious intentions) can be used to do any one of several things:
- Read (and upload), modify, or delete files and data on a user’s computer, without the user being aware of it.
- Infect files with viruses, install Trojan horses, or install any other type of malware.
- or, perform any number of other bad actions that the evil-intending programmer might desire.
And, it is important to realize that these possibilities are not merely “hypothetical.” The possibilities for exploitation via ActiveX have been used by evil-meaning individuals for many years. Of course, this should not be interpreted to mean that ActiveX is a bad technology (in fact, there are many services that make perfectly legitimate uses of it). It is just important that we all realize that the very flexibility of the ActiveX system makes it important for us to keep in mind its security implications.
What Microsoft Has Done To “Secure” ActiveX:
For many years now, Microsoft has provided various “named” methods for securing ActiveX controls, and other software downloaded using its Internet Explorer browser. Most well-known of these systems is known as “Authenticode.” If you’ve ever downloaded something with Internet Explorer and seen a dialog box asking something like “Internet Explorer has finished downloading downloaded_file.exe from Downloadable Programs, Inc — Are you sure you want to run…” — then you have seen Authenticode in-action.
Unfortunately, in the default configuration for Windows (client) Operating Systems, the security determinations for ActiveX controls are left completely up to the computer users. This may seem like a good thing — it’s not — users are often all too happy to click the “Yes” button on those “Are you sure” dialogs. Fortunately, for those of us who do (or will) find ourselves working on networks with Windows domain controllers or modern operating systems (Windows XP or later with Service Pack 2 or 3), there are some new options for restricting ActiveX installation on a per-machine or per-user basis (you can see the “Technet” below if you want more information on the options for ActiveX installation restriction). Sadly, though, for those of us who might spend time working on networks based on WorkGroups or that use mainly older operating systems (such as Windows 2000 and earlier versions), the best defense against the danger of installing ActiveX scripts and controls is strenuous teaching of security skills to individual users (a goal which, often times, is very difficult or impossible to completely achieve).
----------------------------------------
The following web pages were used (or viewed for consideration) in my writing of this post. Even if they were not directly referenced or used in this posting, they should all be able to provide you with more in-depth information on the material I have covered…
Adoko.com – “ActiveX Security Issues”
http://www.adoko.com/activex.html
WikiPedia – “ActiveX”
http://en.wikipedia.org/wiki/ActiveX
Tech-Pro.net – “All About Authenticode”
http://www.tech-pro.net/authenticode.html
Microsoft TechNet – “Internet Explorer Feature Control Settings in Group Policy”
http://technet.microsoft.com/en-us/library/cc775996%28WS.10%29.aspx
DandyID
AIM
Twitter
YouTube
Facebook
Amazon
Blogger
Ebay
MySpace
Xbox LIVE
Steam
Google Profiles
Google Reader
Picasa
Xfire
