CWE

Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.7)  

Presentation Filter:

CWE-623: Unsafe ActiveX Control Marked Safe For Scripting

 
Unsafe ActiveX Control Marked Safe For Scripting
Weakness ID: 623 (Weakness Variant)Status: Draft
+ Description

Description Summary

An ActiveX control is intended for restricted use, but it has been marked as safe-for-scripting.

Extended Description

This might allow attackers to use dangerous functionality via a web page that accesses the control, which can lead to different resultant vulnerabilities, depending on the control's behavior.

+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Common Consequences
ScopeEffect

Technical Impact: Execute unauthorized code or commands

+ Observed Examples
ReferenceDescription
add emails to spam whitelist
web browser uses certain COM objects as ActiveX
kiosk allows bypass to read files
+ Potential Mitigations

Phase: Architecture and Design

During development, do not mark it as safe for scripting.

Phase: System Configuration

After distribution, you can set the kill bit for the control so that it is not accessible from Internet Explorer.

+ Weakness Ordinalities
OrdinalityDescription
(where the weakness exists independent of other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness BaseWeakness Base267Privilege Defined With Unsafe Actions
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfWeakness ClassWeakness Class691Insufficient Control Flow Management
Research Concepts1000
ChildOfCategoryCategory907SFP Cluster: Other
Software Fault Pattern (SFP) Clusters (primary)888
PeerOfWeakness BaseWeakness Base618Exposed Unsafe ActiveX Method
Research Concepts1000
+ Research Gaps

It is suspected that this is under-reported.

+ References
[REF-11] M. Howard and D. LeBlanc. "Writing Secure Code". Chapter 16, "What ActiveX Components Are Safe for Initialization and Safe for Scripting?" Page 510. 2nd Edition. Microsoft. 2002.
[REF-7] Mark Dowd, John McDonald and Justin Schuh. "The Art of Software Security Assessment". Chapter 12, "ActiveX Security", Page 749.. 1st Edition. Addison Wesley. 2006.
+ Content History
Modifications
Modification DateModifierOrganizationSource
2008-07-01CigitalExternal
updated Time_of_Introduction
2008-09-08MITREInternal
updated Description, Relationships, Observed_Example, Weakness_Ordinalities
2010-02-16MITREInternal
updated References
2011-06-01MITREInternal
updated Common_Consequences
2012-05-11MITREInternal
updated References, Relationships
2012-10-30MITREInternal
updated Potential_Mitigations
Page Last Updated: June 23, 2014