ActiveX Controls Still Vulnerable After Four Years
Activity spotted by an eWeek reporter on at least two "gray-hat" vulnerability research sites appears to indicate that an exploit for a weakness in one of Microsoft's Multimedia ActiveX controls discovered last June may still be feasible, even after four years of patches.
The fact that this set of controls, which was last used in Internet Explorer 5.0 and is still installed on many systems, could be so easily exploited to trigger heap overflows, has been a published fact since at least 2003.
Just last June, however, gray-hat firm Xsec found at least one other way to keep exploiting them. The US Department of Homeland Security was apparently notified of the exploit in late August, and released a bulletin last week. That bulletin stated the exploit had been witnessed running in IE 6.0 SP1, though the DHS rated its severity as "low."
The exploit Xsec discovered is frighteningly simple: Unchecked JavaScript code, reportedly running on a Chinese-language version of Windows Server 2003 prior to SP1, can be used to instantiate Microsoft's DirectAnimation library. By passing it a parameter for generating a spline -- a curved path -- using a value that's out-of-bounds for that function, a heap overflow condition is triggered. The original code, published by SecurityFocus, does not contain a payload for deployment after triggering the condition.
A recently published version of this exploit, on Xsec and one other site, essentially re-creates the exploit by enabling curious parties to compile a C-language routine that deploys it via the Windows Command Prompt.
SecurityFocus has catalogued the exploit as Bugtraq ID 19738, and states it knows of no patches released thus far that specifically address the issue. Meanwhile, Internet Security Systems classifies the exploit as "high risk," stating no known remedy existed as of its last update nearly three weeks ago.
This DAXCTLE exploit, for lack of a better name, is merely the latest in a series of recent security troubles for Microsoft that could be considered a "heap overflow" of a different variety.
Although more unpatched exploits from years past are being characterized as "zero-day exploits" for one reason or another, the problem for Microsoft has not been that malicious users are implementing exploits the same day vulnerabilities are discovered. The real issue is that they're successfully continuing to find exploits four years or more after the underlying problems are known.