Exposed Unsafe ActiveX Method
Weakness ID: 618 (Weakness Base)Status: Incomplete
+ Description

Description Summary

An ActiveX control is intended for use in a web browser, but it exposes dangerous methods that perform actions that are outside of the browser's security model (e.g. the zone or domain).

Extended Description

ActiveX controls can exercise far greater control over the operating system than typical Java or javascript. Exposed methods can be subject to various vulnerabilities, depending on the implemented behaviors of those methods, and whether input validation is performed on the provided arguments. If there is no integrity checking or origin validation, this method could be invoked by attackers.

+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Observed Examples
ReferenceDescription
CVE-2007-1120download a file to arbitrary folders.
CVE-2006-6838control downloads and executes a url in a parameter
CVE-2007-0321resultant buffer overflow
+ Potential Mitigations

If you must expose a method, make sure to perform input validation on all arguments, and protect against all possible vulnerabilities.

Use code signing, although this does not protect against any weaknesses that are already in the control.

Where possible, avoid marking the control as safe for scripting.

+ Weakness Ordinalities
OrdinalityDescription
Primary
(where the weakness exists independent of other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory275Permission Issues
Development Concepts (primary)699
ChildOfWeakness BaseWeakness Base749Exposed Dangerous Method or Function
Research Concepts (primary)1000
PeerOfCategoryCategory100Technology-Specific Input Validation Problems
Research Concepts1000
PeerOfWeakness VariantWeakness Variant623Unsafe ActiveX Control Marked Safe For Scripting
Research Concepts1000
+ Content History
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Observed Example, Other Notes, Weakness Ordinalities
2008-10-14CWE Content TeamMITREInternal
updated Description
2008-11-24CWE Content TeamMITREInternal
updated Relationships, Type
2009-10-29CWE Content TeamMITREInternal
updated Description, Other Notes