Hey everyone! I have a question about Active X. Recently a city web site installed an active X control for a web cam and there was a brief mention of using it for visitor tracking in a blurb in the local paper.

I spent hours double-checking what I already knew about the dangers of Active X controls and got a lot of great info, but...I'm still a little confused.

I've told people all the malicious things that can be done if they download this active X. From what I understand, it sounds like the perfect set up for a hacker. I have every reason to believe there is some malicious intent behind this active X control (no, not paranoid; I do have legit reasons for feeling this way, please, PLEASE trust me on that and don't just tell me I'm paranoid, okay??? ) So my question is, could this active X control be used maliciously?

I think you'll find that it can't be USED maliciously unless it has been DESIGNED maliciously (or unless there's some other form of security issue).

If it's written with all good intentions then it's safe. It has to be written maliciously and the problem is that you can't find that out too easily.

That's as far as I know, anyway.

Quote:

If it's written with all good intentions then it's safe. It has to be written maliciously and the problem is that you can't find that out too easily.

I see...thank you. So basically it's up to the programmer? Well, in this case, the source of the code is reason for red flags all over the place.

But I see what you mean -- one would almost have to get the code in order to find out if it's going to be used maliciously and that's next to impossible.

don't know about this particular one, but activeX controls can have full access to the Windows OS on the client machine. So if you mean maliciously in terms of the users PC, then Yes it could be used to "damage" the client machine.
However, there are security measures in place that would require the end user to inhibit them all before the object was allowed free reign on the machine.

Quote:

Originally Posted by fitnfree

I see...thank you. So basically it's up to the programmer? Well, in this case, the source of the code is reason for red flags all over the place.

But I see what you mean -- one would almost have to get the code in order to find out if it's going to be used maliciously and that's next to impossible.

Or install the control on a tightly secured machine and see what warnings came up.

Quote:

Or install the control on a tightly secured machine and see what warnings came up.

Oh...chrishirst, good idea! Now that would be able to be removed right away, wouldn't it? Would it leave any fragments or anything on a computer? (please forgive my ignorance, but programming was my most difficult subject in Web Dev, much to my chagrin!! )

again it depends on the programmer,

If the securities on the machine are weak, a control could be programmed to leave remnants or install other processes that are left behind after removal.

Ideally the testing process should be done in an isolated environment using a "lab-rat" machine that can be wiped and reinstalled or re-imaged (Ghost or DriveImage etc) rather than risking contamination of production machines or your main workstation/computer.

If you are confident about your security, firewall, AV and Anti Scumware measures, testing on a live machine should be ok. As any suspicious behaviour should bring up warnings and will need human intervention to approve the actions.

Once you let an ActiveX control run on your system, it has free reign to do anything that the permissions on your system will allow. For most home users, that means it has access to EVERYTHING and ANYTHING (including modify other applications, suck up all your data and send it to Elbonia, drop new applications on your system to turn it into a zombie...). For corporations, there's sometimes a better degree of control, but it's still not perfectly safe. Unless you know the vendor of the control and trust them completely, don't run it.

Thank you SO much for the insight chrishirst and freelance - -this is more helpful than I know how to say. One of the people behind this active x control installed on a city web site (which was, this year, moved to a private company's hosting a-hem) said the following to me Sunday evening in our local forum:

Quote:

LOL, if you think active X is malicious just monitor your firewall traffic. Other things could easily be done as well but since your such the expert you can figure that out on your own. All dangers can be detected by software you just have to know how. To bad your not smart enough to figure it out.

We've been in "verbal warfare" since Sunday evening and they keep trying to say there was nothing behind their active X control -- BUT, they removed it and changed to Java...

Quote:

Originally Posted by fitnfree

Oh...chrishirst, good idea! Now that would be able to be removed right away, wouldn't it? Would it leave any fragments or anything on a computer? (please forgive my ignorance, but programming was my most difficult subject in Web Dev, much to my chagrin!! )

Yes. It's not supposed to be that way, but in truth a Windows system is like a lego castle. You can undo some recent changes but miss one ... it's incredibly easy. And I guess I mean "you" as the programming team, not as in the end user. A person could write an uninstaller that does nothing but insult the user. Remember Sony's rootkit?

Instead, download VMWare, which is pretty highly respected among IT people, and install the ActiveX control there. When you're finished, just delete the file with the virtual machine or hard disc. That will make it much, much harder for any nasty code to infect your computer.

I'm not sure if you're asking whether the control could be used to damage your computer, or to track data about you ... but honestly, it could do either if it was intended to.

Quote:

Originally Posted by ForrestCroce

Instead, download VMWare, which is pretty highly respected among IT people, and install the ActiveX control there. When you're finished, just delete the file with the virtual machine or hard disc. That will make it much, much harder for any nasty code to infect your computer.

There's a step missing here: some malicious controls can scan your network and do stuff to other machines as well. Just because you're in a VM doesn't shield your other systems on the network (including the host) from being accessed over the network layer to do things. And most people don't secure their home network, so you're wide open to that kind of attack.

Isn't it lovely?

By the way, if you give it permission, a java control can do the same thing. But you have to be more explicit about the permissions you grant it. Just because there's the java "sandbox" doesn't mean someone won't want to let it play outside the box.

Quote:

Originally Posted by FreelanceMan

There's a step missing here: some malicious controls can scan your network and do stuff to other machines as well. Just because you're in a VM doesn't shield your other systems on the network (including the host) from being accessed over the network layer to do things. And most people don't secure their home network, so you're wide open to that kind of attack.

Yeah, and addressing this gets really complicated. Running the control inside a virtual machine doesn't guarantee malicious code can't hop around the network, but the sandbox will eliminate 80 or 90 % of the risk. I use seat belts and airbags, even if they don't save lives in 100 % of accidents.

It's been a while since I've used virtual machines, and the last time was Microsoft's. So I don't know off hand how the software defaults, and I don't know what this control is or how likely it is to try to cross machine boundaries. But a home network, especially if it's one box, isn't the most attractive target.

i think tho probably 99% of the time they are safe and it would be very unlikely that site which isnt full of porn, warez etc would have bad active X's

Dan