Followers of the July Month of Browser Bugs (MoBB) got a bonus this month from MoBB head and researcher HD Moore -- a free ActiveX fuzzing tool.
Moore is offering his AxMan fuzzing tool, and plenty of researchers have already taken him up on it. AxMan was the tool Moore used to find and debug nearly every ActiveX bug during his famed MoBB project. (See Getting Buggy with the MOBB.)
The researcher is offering the tool to anyone who wants to audit systems for ActiveX vulnerabilities. Unlike most fuzzing tools, which are typically used by technical researchers, this tool has a user-friendly interface. "The AxMan user interface is easy enough that just about anyone can get some value out of it," Moore says.
Active X bugs are nothing new, and the bugs uncovered by AxMan basically reiterate the conventional wisdom many security managers already employ: Make sure your end users disable ActiveX, security experts say.
The idea of the free tool is for software vendors to find vulnerabilities in their software and for enterprises to assess their security risks. ActiveX and COM-type objects come with third-party apps, so it's difficult to track them, says Moore, a lead developer and the founder of the Metasploit project. "It's hard to tell how an ActiveX control ended up on your system or what third-party software package it is part of," he says. So even if you uninstall one application, its ActiveX component could still remain on the system.
"It can provide a backdoor of sorts to any Web-based attacker."
Several researchers who have downloaded the tool have informed Moore they've found new bugs and are working with vendors to patch them. "Releasing this tool effectively 'kills' all easy ActiveX vulnerabilities, since anyone can find them now. It's just a matter of time before they are all fixed."
Others are already exploiting the holes, Moore says, but turning vulnerabilities into exploit code takes a lot of time and effort.
Among the apps most susceptible to ActiveX vulnerabilities are Web-based apps that use embedded tables or hyperlinks in an information panel, Moore says. Microsoft Office, for instance, has over 1,000 COM objects, with at least 50 that are labeled "safe for scripting," which makes them accessible from the Web and therefore at risk. Other apps include Visual Studio, Adaptec CD, and all IE plug-ins, such as PDFs and Flash, Moore says.
AxMan has also discovered over 100 different flaws in Windows XP SP2 with third-party apps installed on it, according to Moore, who withheld his own blacklist file of vulnerabilities so vendors could find fixes for them first. He found about 20 flaws with the tool in the MoBB project.
An XP system with Office 2003, meanwhile, has over 7,000 COM objects, 300 of which are accessible from the Web, Moore says. "A friend of mine reported over 10,000 objects on his system, which has all sorts of third-party software and enterprise applications."
"You're basically getting a commercial tool for free," says David Maynor, senior security researcher for SecureWorks. "This will help curb ActiveX vulnerabilities," but there are still plenty of other bugs out there in other areas, he adds.
Meantime, AxMan has also put the kibosh on some bugs-for-money deals. (See Bucks for Bugs.) "A side effect is that companies that purchase vulnerabilities won't be able to accept issues found with this tool, since they've become semi-public," Moore says. "That may upset a few people who found the same bugs the hard way" without the tool, he says. Companies such as VeriSign's iDefense and 3Com's Zero Day Initiative that pay researchers for vulnerabilities require that the bugs have not been publicized nor reported to the vendor, Moore says.
SecureWorks' Maynor says that's good news. "It takes the power to find out about bugs out of the hands of a few and into the hands of many," he says.
The key is to integrate AxMan into your overall quality-assurance process for security, Moore says. "There is no one silver bullet."
Kelly Jackson Higgins, Senior Editor, Dark Reading