ActiveX Exploit Samuel Warren IS 469- Information Security Capstone Dan Morrill City University May 17, 2012   ActiveX Exploit Executive Summary Exploiting ActiveX buffer overflow is a critical hole in the Microsoft Office Suite. The worst part of this exploit is that once the buffer overflow is initialized, the victim computer’s command controls are accessible and the attacker can do just about anything. However, due to the religious patching of Microsoft, there is already a working fix in place, despite the discovery in early April 2012. Introduction Criminal hackers are always looking for a weakness to exploit. To that end, they poke and prod different systems to see how it works. The hackers become subject matter experts in various coding languages and taxonomies. There are equal parts education and criminality that combine to show a beautiful tapestry of what happens when information is used for the wrong purposes. In April 2012, a new exploit was discovered by exploits-db.com and uses the ActiveX Framework to gain control of the victim computer via Microsoft Office 2003-2010, with the exception of 64-bit editions (TechCenter, 2012). The following analysis will show the potentials, risks and rewards of exploiting this loophole in the Active What does the code do? The code primarily causes a buffer overflow in Microsoft Office 2003-2010. It then attaches to the Windows common controls, MSCOMCTL.Listview, and MSCOMCTL.OCX (Exploits-db, 2012) and could be used to execute command level invocations to the victim system. Potential for a weapon The potential to use this exploit as a weapon is high according to Microsoft’s Security TechCenter. They rate it as “Critical” (TechCenter, 2012) in all affected Office products due to the potentially limitless uses. For example, if a user unintentionally activates this code, it could introduce a virus that takes any and all personal information and exports it to a file that is then sent off to the attacker. Another major point is the potential victim pool is so big and diverse that there will probably be at least a couple people affected, if not thousands. All told, roughly half a billion people use Office. Yet for all the ways consumers use it at home, there are many more time-saving solutions to be found in the world’s most ubiquitous desktop software. (Schultz, 2009) Because the code cannot self-intialize, due to the exploit being in ActiveX Framework, the user must be tricked, or socially coerced into clicking the link and accepting ActiveX prompts. However, once the user does that, the potential is really incredibly limitless. Risk and Rewards The major risk of weaponizing this exploit is Microsoft patch frequency. Microsoft releases a new patch to fix their bugs, loopholes, and exploits as soon as they can identify a fix. That being the case, the exploit has a potentially short existence; depending on how quickly the patches are installed by the end users. However, should the victim be coerced into starting this overflow process, the attacker would have access to do just about anything to the victim’s machine including self-propagation of the code to the other 499,999,999 users.   References Exploits-db. (2012, April). Exploit 18780. Retrieved from exploits-db: http://www.exploit-db.com/exploits/18780/ Schultz, M. (2009, January 8). Microsoft Office is Right at Home. Retrieved from Microsoft: http://www.microsoft.com/en-us/news/features/2009/jan09/01-08cesofficeqaschultz.aspx TechCenter, M. S. (2012, April 10). Microsoft Security Bulletin MS12-027 - Critical. Retrieved from Security TechCenter: http://technet.microsoft.com/en-us/security/bulletin/ms12-027