Many years ago, ActiveX was a popular technology. Unfortunately, too many ActiveX controls had a very low code maturity and were riddled with basic vulnerabilities like buffer overflows, or exposed unsafe functionality even if marked as “safe for scripting”. These allowed malicious websites to trivially compromise users’ systems. Today, ActiveX technology is considered obsolete and unsafe. Microsoft even removed support for ActiveX in Microsoft Edge, which is now their recommended default browser over Internet Explorer. As a result, most websites wisely no longer rely on ActiveX technology.
So if ActiveX technology is pretty much dead, why are we writing about it? Who even cares about ActiveX control vulnerabilities in 2019?
Anyone living in South Korea, or accessing their websites, certainly does still care about ActiveX. Due to a law from 1999 to, ironically, enhance Internet security, people in South Korea were stuck until fairly recently with Internet Explorer and had to allow ActiveX controls to run, particularly on government, banking, and education websites.
This was not only frustrating to people living there, but continues to pose a threat to their online security. According to security researchers at IssueMakersLab, since 2007 and up to 2018 a large number of 0-day attacks attributed to North Korea have been exploiting 28 different vulnerabilities in commonly used ActiveX controls. One of the latest watering hole attacks as part of this campaign exploited 10 different ActiveX controls.
In early 2014 the government decided to lift the mandatory use of ActiveX technology and encouraged organizations to find alternatives. While it had some impact, a large number of websites, including ones run by the government, continued to rely on it. In 2015 steps were taken to get rid of ActiveX controls from government websites with the goal being to have them completely removed by 2018. It was also announced that 90% of the 100 most popular websites run by private companies would be free of ActiveX controls by the end of 2017, and yet by late October 2017 nearly half of them still relied on it.
It has clearly been a slower process than hoped. The current goal, which was set in 2017, is that ActiveX controls will be removed from all government websites by 2020. Until then Koreans are still dependent on ActiveX technology and probably will be for a while longer.
Flashpoint discovers multiple critical vulnerabilities
At the beginning of 2019, we did some research into South Korean ActiveX controls previously exploited in zero day attacks, resulting in the discovery of, among other things, an incomplete fix for one of them. During this process, we also obtained a repository of about 100 South Korean ActiveX controls.
To help the growing South Korean customer base on our VulnDB vulnerability intelligence product, and satisfy our own curiosity, we assigned additional research time to look further into these ActiveX controls. The main goal of the research was to determine if South Korean ActiveX controls in general have a higher code maturity. As South Korea relies on antiquated technology, it seems reasonable to expect that an extra effort was made to secure these ActiveX controls and reduce the inherent risks of safe-for-scripting ActiveX controls.
The results were not encouraging…
Our approach combined fuzzing of the ActiveX controls with in-depth reverse engineering of the most popular ones. It turned out that finding vulnerabilities in these ActiveX controls was simple. We actually ended up cutting the project short after finding 40 vulnerabilities across 10 ActiveX controls (and an additional vulnerability in a Chinese ActiveX control that snuck its way into the mix).
Discovered vulnerabilities
The discovered vulnerabilities were all very basic: various types of buffer overflows and unsafe exposed functionality that allowed executing code on users’ systems. There was no need to make a greater effort to find more complex ones. At the time of the analysis, these ActiveX controls were available from websites for different organizations including a bank, a major financial company, a major technology company, some universities, and a government entity.
Early February 2019 we turned over all our findings to the Korea Internet & Security Agency (KISA). Since then they have worked with the impacted vendors to either get the vulnerabilities fixed, or deprecate the vulnerable ActiveX controls and remove them from the websites that provided them. KISA further plans to ensure that kill-bits are set for impacted ActiveX controls.
Details about the vulnerabilities were provided to our VulnDB customers early April 2019, and public reports have now been published on our research page.
It seems 2020 can’t come fast enough for the South Koreans. It’s evident that they’re not only relying on antiquated technology, but their ActiveX controls are just as unsafe as the ones used elsewhere many years ago.