Unsafe ActiveX Control Marked Safe For Scripting| ID: 623 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: DRAFT |
| Abstraction Type: Variant |
Description
An ActiveX control is intended for restricted use, but it has
been marked as safe-for-scripting.
Extended DescriptionThis might allow attackers to use dangerous functionality via a web page
that accesses the control, which can lead to different resultant
vulnerabilities, depending on the control's behavior.
Applicable PlatformsNone
Time Of Introduction
- Architecture and Design
- Implementation
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| ConfidentialityIntegrityAvailability | Execute unauthorized code or
commands | |
Detection MethodsNone
Potential Mitigations
| Phase | Strategy | Description | Effectiveness | Notes |
|---|
| Architecture and Design | | During development, do not mark it as safe for scripting. | | |
| System Configuration | | After distribution, you can set the kill bit for the control so that
it is not accessible from Internet Explorer. | | |
Relationships
| Related CWE | Type | View | Chain |
|---|
| CWE-623 ChildOf CWE-907 | Category | CWE-888 | |
Demonstrative ExamplesNone
Observed Examples
- CVE-2007-0617 : add emails to spam whitelist
- CVE-2007-0219 : web browser uses certain COM objects as ActiveX
- CVE-2006-6510 : kiosk allows bypass to read files
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy MappingsNone
References:
- ..
- ..
- ..
- M. Howard D. LeBlanc .Writing Secure Code 2nd Edition. Microsoft. Section:'Chapter 16, "What ActiveX Components Are Safe for
Initialization and Safe for Scripting?" Page 510'. Published on 2002.
- Mark Dowd John McDonald Justin Schuh .The Art of Software Security Assessment 1st Edition. Addison Wesley. Section:'Chapter 12, "ActiveX Security", Page 749.'. Published on 2006.
