Compaq's Active X Policy Taking Water
Page 1 of 1
Compaq Computer said ActiveX programs that ship with its popular desktop and notebook Presario lines contain a flaw which could allow hackers to over-write files on users' machines if they visit a specially-constructed Web page or read a booby-trapped HTML e-mail.
In an advisory issued late yesterday, Compaq said it includes the ActiveX controls on Presarios to perform customer support tasks. The company classified the threat as a denial of service vulnerability.
The system bugs were first publicized two years ago by Richard Smith, chief technology officer for the Privacy Foundation, in a message to the NTBugTraq mailing list.
Earlier this year, Smith sent the computer manufacturer a note saying that his new Compaq Presario 1700 series laptop had come shipped with about a dozen pre-installed ActiveX controls which were marked "safe for scripting."
"Many of these controls," he wrote were "hardly safe."
In fact, Smith argues that the Compaq Presario and operating systems, including Windows 98 and Windows Me, contain Active X methods for writing files to hard drives with controls that can easily be tampered with from HTML e-mail messages, Web pages, or rogue code.
By definition, an Active X control can be automatically downloaded and executed by a Web browser. Programmers can develop ActiveX controls in a variety of languages, including C, C++, Visual Basic and Java.
"They ship something like eleven ActiveX controls that can write to the hard drive and over-write files," Smith said in an interview with InternetNews.com. "So the term 'denial of service' is kind of a misnomer. It can destroy data or the operating system. So I think this is a bigger deal."
For its part, a Compaq spokesperson said the company issued a patch to about 2 million users through a Compaq services connection.
The spokesperson also added that all Presario computers contained ActiveX controls. And with so many users at risk, Compaq has started a security mailing list service to keep users up-to-date. So far, 260,000 people have signed up.
So while Compaq is certainly taking an active interest in the problem, perhaps most startling is Smith's contention that PC vendors continue to sell computers that can be tweaked by hackers.
"PC vendors don't seem to understand ActiveX security and have shipped software preinstalled on computers that create backdoors that open people's machines wide open to hackers," he said.
What's disturbing to Smith, and countless other users, is that ActiveX controls have full access to the Windows operating system. To control this risk, Microsoft developed a registration system so that browsers can identify and authenticate an ActiveX control before downloading it.
Compaq says it has no plans to ask vendors to stop shipping Presario computers.