Skip the navigation
News

Security pros: Kill ActiveX

Wave of IE plug-in bugs prompts US-CERT to recommend disabling ActiveX

By Gregg Keizer
February 5, 2008 12:00 PM ET

Computerworld - A wave of bugs in the plug-in technology used by Microsoft Corp.'s Internet Explorer browser has some security experts, including those at US-CERT, recommending that users disable all ActiveX controls.

The U. S. Computer Emergency Readiness Team, part of the U.S. Department of Homeland Security, put it bluntly in advisories posted in the last two days: "US-CERT encourages users to disable ActiveX controls as described in the Securing Your Web Browser document," the organization recommended.

US-CERT's advice was prompted by multiple vulnerabilities in high-profile ActiveX components used by members of Facebook and MySpace and by users of Yahoo Inc.'s music services.

Three new vulnerabilities in the photo uploader software used by both Facebook and MySpace were disclosed yesterday by researcher Elezar Broad, who on Monday also posted sample attack code for a pair of critical bugs in Yahoo's Music Jukebox. Last week, Broad had pinned the Facebook and MySpace ActiveX controls with two other flaws. All five of the Facebook/MySpace vulnerabilities originated with an ActiveX control developed by Aurigma Inc.

As the number of vulnerabilities mounted, security professionals began ringing the alarm. On Monday, for instance, Symantec analysts urged users to "use caution when browsing the Web" and told IT administrators to disable the relevant ActiveX controls by setting several "kill bits" in the Windows registry.

US-CERT, however, offered up more aggressive advice as it recommended users move IE's security level to the "High" setting, which completely disables all ActiveX controls.

Setting IE's security level to 'High' disables all ActiveX controls. To get here, select Internet Options from the Tools menu, then click on the Security tab. Click Internet at the top for the zone, then move the slider up to the maximum.

"That's the easiest way to protect yourself," agreed Oliver Friedrichs, director of Symantec Corp.'s security response group. "But it can also have an adverse impact on your browsing experience." A compromise, said Friedrichs, would be to disable "only those plug-ins that pose a current and imminent threat," such as the flawed ActiveX controls used by Facebook, MySpace and Yahoo.

Disabling individual ActiveX controls, however, requires editing the Windows registry. That's too scary for most home users to contemplate, but business users are another matter. "That approach is hard to argue against in the enterprise," said Friedrichs, who noted that there are tools available that let corporate IT administrators push registry changes -- including new keys that disable specific ActiveX controls -- to all users.

The SANS Institute's Internet Storm Center acknowledged that setting kill bits is beyond the ken of most users; one of its researchers came up with a graphical interface-based tool that sets and clears the kill bits of six ActiveX controls that have been tagged with bugs in the past week. The free tool can be downloaded at the ISC's Web site.



Additional Resources
Forrester Consulting - Optimizing Users and Applications in a Mobile World
WHITE PAPER
Solving application issues over the WAN requires careful consideration. Based on their independent research, Forrester Consulting offers recommendations on how to tackle application performance issues, insufficient bandwidth and the inability to quickly restore users in a disaster.

Read now.

Security KnowledgeVault
WHITE PAPER
Security is not an option. This KnowledgeVault Series offers professional advice how to be proactive in the fight against cybercrimes and multi-layered security threats; how to adopt a holistic approach to protecting and managing data; and how to hire a qualified security assessor. Make security your Number 1 priority.

Read now.

Cut Communications Costs Once and for All
WHITE PAPER
New IP-based communications systems are being deployed by small and midsized businesses at a rapid rate. Learn how these organizations are enabling faster responsiveness, creating better customer experiences, speeding office or mobile interactions, and dramatically reducing existing communications costs.

Read now.

Security White Papers
Overcome Top 7 Admin Challenges of Active Directory
As Active Directory's role in the enterprise has drastically increased, so has the need to secure the data. Gain insight on creating repeatable,...
Insiders Can Ruin Your Company. Take Action.
Did you know that 80 percent of threats to an organization come from the inside? The threat from insiders is often overlooked in...
Top Solutions and Tools to Prevent Devastating Malware
Custom malware frequently goes undetected. According to Forrester Research, the best way to reduce risk of breach is to deploy file integrity monitoring...
X-Ray of the PCI Process-4 Proactive Steps
This white paper from Forrester Research Inc., helps break PCI into understandable components. Security and risk professionals will gain knowledge and insight into...
Identity Governance: The Business Imperatives
This white paper describes the business challenges and opportunities that are driving interest in Identity Governance while discussing considerations your organization should make...
All Security White Papers
Security Webcasts
Live Webcast
Playing Defense: Staying on Top of Your Disaster Recovery Game
When it comes to disaster recovery, rapidly growing data volumes, distributed computing models, and new technologies all combine to present an ever-changing playing...
Introduction to VMware vCenter Site Recovery Manager 5
Traditional disaster recovery solutions are often too expensive, complex and unreliable to meet business requirements. As a result, IT departments are hesitant to...
The Top Ten Secrets to Avoiding SAN Performance Problems
Maintaining peak performance while simultaneously addressing the root cause of SAN errors is challenging. Learn the most common SAN problems and explore new...
Deduplication Without Compromise
Go inside Quantum's scalable, high-performance, multi-protocol new DXi deduplication appliances, designed to make backup much more effective. Discover how the new future-proof DXi6700...
Director of Disk Products Discusses DXi6700
Discover how the new DXi 6700 series of deduplication appliances provide investment protection and a future-proof feature set, all while delivering fast, scalable,...
Playing Defense: Staying on Top of Your Disaster Recovery Game
When it comes to disaster recovery, rapidly growing data volumes, distributed computing models, and new technologies all combine to present an ever-changing playing...
All Security Webcasts
Newsletter Sign-Up

Receive the latest news test, reviews and trends on your favorite technology topics

Choose a newsletter
  1. View all newsletters | Privacy Policy
IT Jobs