Compaq’s Active X Policy Taking Water

Compaq Computer said ActiveX programs that ship with its popular desktop and
notebook Presario lines contain a flaw which could allow hackers to
over-write files on users’ machines if they visit a specially-constructed
Web page or read a booby-trapped HTML e-mail.

In an advisory issued late yesterday, Compaq said it includes the ActiveX
controls on Presarios to perform customer support tasks. The company
classified the threat as a denial of service vulnerability.

The system bugs were first publicized two years ago by Richard Smith, chief
technology officer for the Privacy Foundation, in
a message to
the NTBugTraq mailing list.

Earlier this year, Smith sent the computer manufacturer a note saying that
his new Compaq Presario 1700 series laptop had come shipped with about a
dozen pre-installed ActiveX controls which were marked “safe for scripting.”

“Many of these controls,” he wrote were “hardly safe.”

In fact, Smith argues that the Compaq Presario and operating systems,
including Windows 98 and Windows Me, contain Active X methods for writing
files to hard drives with controls that can easily be tampered with from
HTML e-mail messages, Web pages, or rogue code.

By definition, an Active X control can be automatically downloaded and
executed by a Web browser. Programmers can develop ActiveX controls in a
variety of languages, including C, C++, Visual Basic and Java.

“They ship something like eleven ActiveX controls that can write to the hard
drive and over-write files,” Smith said in an interview with InternetNews.com.
“So the term ‘denial of service’ is kind of a misnomer. It can destroy data
or the operating system. So I think this is
a bigger deal.”

For its part, a Compaq spokesperson said the company issued a patch to about
2 million users through a Compaq services connection.

The spokesperson also added that all Presario computers contained ActiveX
controls. And with so many users at risk, Compaq has started a security
mailing list service to keep users up-to-date. So far, 260,000 people have
signed up.

So while Compaq is certainly taking an active interest in the problem,
perhaps most startling is Smith’s contention that PC vendors continue to
sell computers that can be tweaked by hackers.

“PC vendors don’t seem to understand ActiveX security and have shipped
software preinstalled on computers that create backdoors that open people’s
machines wide open to hackers,” he said.

What’s disturbing to Smith, and countless other users, is that ActiveX
controls have full access to the Windows operating system. To control this
risk, Microsoft developed a registration system so that browsers can
identify and authenticate an ActiveX control before downloading it.

Compaq says it has no plans to ask vendors to stop shipping Presario
computers.

*Brian McWilliams of InternetNewsRadio also
contributed to this story.

News Around the Web