Is it ActiveX that is the problem?

Last week, an expert from Verizon, nee Cybertrust, posted a note about the Active Template Library (ATL) security vulnerability over on the Verizon Business Security Blog. For home users, the phone company now advises you to use a different browser, ostensibly because IE and ActiveX are inherently insecure. I felt that quite missed the point that (a) browsers are software, and (b) all software has vulnerabilities, and (c) extension technologies in browsers add functionality, which (d) is implemented in the form of software, and therefore (e) introduce additional vulnerabilities. Just because Internet Explorer's extension technology is called ActiveX does not mean it inherently has any more, or less, vulnerabilities than the extension technologies in other browsers. ActiveX received a, deservedly, horrible reputation when it first came out about ten years ago. Since then Microsoft has actually put a lot of effort into securing the user's browsing experience, but for some reason, people keep dragging up old vulnerabilities from many years ago as proof that Microsoft does not care about security. Doing so is unfair and denigrates what is probably most comprehensive software security program in the industry.

So, I decided to try to make that claim in the comments. That generated a response from "Nathan Anderson," who did not bother really reading what I wrote, used a flawed interpretation of data to "prove" that Firefox and Chrome are far more secure than IE, ignored Low Rights IE, and concluded by, in essence, calling me an idiot.

My comment also generated a response from Dave Kennedy, who appears to have been the original poster, and who thinks I went too far.

At this point, I'd probably do better to ignore the discussion, but Mr Kennedy posited a very interesting question, and I thought I'd like to explore it a little. Here it is:
"How many millions of dollars have been lost and thousands of individuals have become the victims of identity fraud that can be laid squarely at the feet of criminal exploitation of vulnerable ActiveX controls?"

I don't know. How many? And how does it compare with the number of millions of dollars lost because users click on things they shouldn't, while running as admins? How does it compare with the number of millions of dollars lost due to vulnerable versions of Flash and Acrobat; which are vulnerable on all browsers? All of those would be fantastic statistics to have. If anyone has them, I'd love to see them.

To the Nathans of the world: I never said Firefox and Chrome are less secure than IE. All I pointed out was that they do not benefit from a sandbox the way IE does on Vista and Win7. They could. Easily. Stripping privileges out of a token and setting an integrity level is quite simple. The difficult part is really just to build an escalation method to be able to perform tasks outside the sandbox.  It is just that their respective manufacturers have chosen not to implement this functionality. I really wish they had. It would greatly improve the difficulty of exploiting either browser.

In addition, Firefox, etc, may not have ActiveX, but they have other extension mechanisms, and a vulnerable extension is a vulnerable extension, whether it is ActiveX or not. It is correct that Chrome has fewer vulnerabilities than either Firefox or IE, but a reasonable argument can be made that it is because of how long it has been out and the amount of attention from security researchers it has received so far. Chrome is not yet a year old. In that time, Chrome 1.x and 2.x have racked up 9 advisories (12 vulnerabilities), according to Secunia. I included both versions because of how fast they were released. It provides a more accurate measure of the impact on the end user. Chrome 3.x is still considered a preview release as far as I can tell, so I excluded it. Firefox 3 (the only supported Firefox version for most of the one-year timeframe) had 9 advisories in 2009 so far, and an additional 5 in late 2008. Internet Explorer 7 in that timeframe has 6. 

Based on these figures, I would submit there is no statistically significant difference between the three browsers. I am not trying to minimize the ATL vulnerability, which was sloppy in the extreme, and I am not trying to denigrate either Firefox or Chrome, as I use and enjoy both, although mostly Firefox, which I used to write this post. I am simply saying that all software has vulnerabilities, and that the attackers will be opportunistic enough to exploit any or all of them if it is necessary to meet their needs.

Vulnerability counting misses the point entirely though. All the bad guys need is one unpatched vulnerability. Furthermore, that vulnerability can reside in the browser, or in anything else running in the browser.The common add-ins, such as Flash and Acrobat, have vulnerabilities regardless of which browser they are running in. Even if the user has a fully patched and non-vulnerable browser, all the attacker needs is one unpatched add-in. Adding a new browser requires adding new add-ins, so now you have two copies of Flash to maintain, two copies of Acrobat to maintain, and another browser.Simply adding more software to maintain does not make people more secure. Most users would probably be far better off maintaining only one browser and spending the additional effort on learning how to browse more securely.

Finally, whether a computer is fully patched or not; whether a browser or its extensions are full of holes or not; the most vulnerable part of any system is almost always the user. Humans are still at v. 1.0 and there have not been a single security patch issued for them yet. There has been no Trustworthy Computing Initiative to stamp out security vulnerabilities in people. Therefore, the easiest way to hack anything is almost always to ask a legitimate user to do it for you. Simply present the user with something he values more than an intangible and incomprehensible security benefit, and your job is done. Many of the attacks today do not even use software vulnerabilities. It is more reliable and less expensive to exploit the user directly.

Published Sun, Aug 9 2009 1:04 PM by jesper
Filed under:

Comments

# wampir said on 10 August, 2009 01:13 AM

As far as I know there is some kind of sandbox in Chrome.

blog.chromium.org/.../new-approach-to-browser-security-google.html

dev.chromium.org/.../sandbox

# Dvader said on 10 August, 2009 05:14 AM

Correct me if I am wrong but Chrome on Vista is running in low integrity mode. So what's the difference with IE?

# Harry Johnston, MVP said on 10 August, 2009 05:42 PM

I don't agree with Nathan's comments, but I have to say I've been recommending against using IE for general-purpose web browsing for years now, mostly because of the large number of ActiveX vulnerabilities.  The IT group I work in also recommends that our staff use Firefox instead of IE.

As I see it, the problem with ActiveX is that, for whatever reason, it is too easy to accidentally create a browser plug-in that you never intended to.  Many of the vulnerabilities discovered are in controls that weren't meant for use in IE in the first place.  At least with Firefox, if you're writing a browser plug-in or extension you know that you're doing it!

Since we're still running Windows XP, by the way, we don't benefit from Low Rights.  I'm not entirely convinced that is an adequate protection in any case, mind you, since it is not intended to provide a security boundary.

Granted, IE has improved since the early days, and I may reconsider my position in due course ... but not so long as we're still getting a new killbit once a month or more on average. :-)

# Terry Walker said on 25 August, 2009 07:20 AM

Wow, I never knew that Is it ActiveX that is the problem?. That's pretty interesting...

# Jo said on 29 August, 2009 06:32 AM

How many ActiveX controls are by default enabled in IE and how man plug-ins are by default enabled in Firefox?