In-Depth

Security Briefs

Active X Allows File Loading; Defining Spyware

• By Mathew Schwartz
• 06/30/2004

IBM ActiveX Vulnerabilities

Two support tools for IBM PCs, written in ActiveX, are vulnerable to attack. The two tools reportedly ship as part of the standard operating system build on many IBM PCs. Secunia classifies the vulnerability as “highly critical.”

The two IBM Access Support ActiveX controls are acpRunner 1.x and eGatherer 2.x. The controls allow for remotely initiated installation of code to the PC. Both are digitally signed by IBM as being safe for scripting, and both are intended to facilitate upgrades to IBM PCs.

As the Secunia advisory notes, “a malicious Web page or an HTML e-mail may exploit these controls to silently execute arbitrary code on a client system.” In particular, “writing a malicious file in the startup folder, for instance, can compromise the client PC when the system is rebooted.”

For machines without ActiveX , users may be queried to install the functionality. In addition, some digital certificate-related settings, such as “trust all code from IBM,” may drive the PC to automatically download and install ActiveX on the machine without alerting users, thus making their PCs vulnerable to exploits.

Exploit HTML code is already available via proof-of-concept research published by eEye Digital Security, which discovered the vulnerability.

IBM's patch can be found at:
http://www-306.ibm.com/pc/support/site.wss/document.do?lndocid=MIGR-51860

-----

Earthlink Sees Spyware Infestations Increase

According to Webroot Software and Earthlink, spyware infestation are increasing.

The companies scanned about 1.5 million PCs from the beginning of 2004 to the end of April, and found an average of 27.5 types of possibly malicious software, for a total of over 40 million instances of spyware.

In particular, the amount of system-monitoring software discovered by the scans increased from March 2004 to April 2004 from about 36,000 to 61,000. During that same time period, discovered Trojan software jumped from 39,000 to 73,000.

While 1.5 million pieces of spyware is quite large, the study includes a broad definition of spyware, raising the question: what exactly is spyware?

Experts generally agree spyware tracks user activity without their knowledge, but some is worse than others. A definition from the Internet Security Systems Web site defines spyware as: “A general term for a program that surreptitiously monitors your actions. While they are sometimes sinister, like a remote control program used by a hacker, software companies have been known to use spyware to gather data about customers. The practice is generally frowned upon.”

The industry is still honing its spyware definition. One problem is intent counts for a lot, but it’s difficult to automatically scan for that. For example, remote control software may be standard-issue IT software in one company, while in another an attacker may have snuck it onto computers.

The Webroot and Earthlink study classes spyware as adware, software which displays pop-up advertisings while running; system monitors, which record activity and keystrokes; and Trojan horse software, disguised or hidden software able to quietly steal data.

The study also includes adware cookies as part of its definition of spyware. “Adware cookies are pieces of software that Web sites store on your hard drive when you visit a site,” note Webroot and Earthlink, and it differentiates those from regular cookies, which perhaps just store your password for easily logging in on the next visit. By contrast, adware cookies are often used by third-party marketing firms to track users’ surfing habits over a variety of sites, and may store personal information, including usernames and passwords.

No matter your definition of spyware, however, Earthlink and Webroot’s research shows it is, unfortunately, still increasing.

Link to report's results:
http://www.earthlink.net/spyaudit/press/