CWE
Home > CWE List > CWE- Individual Dictionary Definition (1.4)  

CWE-623: Unsafe ActiveX Control Marked Safe For Scripting

Individual Definition in a New Window
Unsafe ActiveX Control Marked Safe For Scripting
Status: Draft
Weakness ID: 623 (Weakness Variant)
+ Description
Summary

An ActiveX control is intended for restricted use, but it has been marked as safe-for-scripting.

Extended Description

This might allow attackers to use dangerous functionality via a web page that accesses the control, which can lead to different resultant vulnerabilities, depending on the control's behavior.

+ Time of Introduction
* Architecture and Design
* Implementation
+ Observed Examples
ReferenceDescription
kiosk allows bypass to read files
web browser uses certain COM objects as ActiveX
add emails to spam whitelist
+ Potential Mitigations

During development, do not mark it as safe for scripting.

After distribution, you can set the kill bit for the control so that it is not accessible from Internet Explorer.

+ Weakness Ordinalities
Primary (where the weakness exists independent of other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness BaseWeakness BaseWeakness Base267Privilege Defined With Unsafe Actions
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfWeakness ClassWeakness ClassWeakness Class691Insufficient Control Flow Management
Research Concepts1000
PeerOfWeakness BaseWeakness BaseWeakness Base618Exposed Unsafe ActiveX Method
Research Concepts1000
+ Research Gaps

It is suspected that this is under-reported.

+ Content History
Modifications
Eric Dalci. Cigital. 2008-07-01. (External)
updated Time_of_Introduction
CWE Content Team. MITRE. 2008-09-08. (Internal)
updated Description, Relationships, Observed_Example, Weakness_Ordinalities
Page Last Updated: May 26, 2009