Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (2.11)  

CWE-623: Unsafe ActiveX Control Marked Safe For Scripting

Weakness ID: 623
Abstraction: Variant
Status: Draft
Presentation Filter:
+ Description

Description Summary

An ActiveX control is intended for restricted use, but it has been marked as safe-for-scripting.

Extended Description

This might allow attackers to use dangerous functionality via a web page that accesses the control, which can lead to different resultant vulnerabilities, depending on the control's behavior.

+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Common Consequences

Technical Impact: Execute unauthorized code or commands

+ Observed Examples
add emails to spam whitelist
web browser uses certain COM objects as ActiveX
kiosk allows bypass to read files
+ Potential Mitigations

Phase: Architecture and Design

During development, do not mark it as safe for scripting.

Phase: System Configuration

After distribution, you can set the kill bit for the control so that it is not accessible from Internet Explorer.

+ Weakness Ordinalities
(where the weakness exists independent of other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness BaseWeakness Base267Privilege Defined With Unsafe Actions
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfWeakness ClassWeakness Class691Insufficient Control Flow Management
Research Concepts1000
ChildOfCategoryCategory978SFP Secondary Cluster: Implementation
Software Fault Pattern (SFP) Clusters (primary)888
PeerOfWeakness BaseWeakness Base618Exposed Unsafe ActiveX Method
Research Concepts1000
+ Research Gaps

It is suspected that this is under-reported.

+ References
[REF-11] M. Howard and D. LeBlanc. "Writing Secure Code". Chapter 16, "What ActiveX Components Are Safe for Initialization and Safe for Scripting?" Page 510. 2nd Edition. Microsoft. 2002.
[REF-7] Mark Dowd, John McDonald and Justin Schuh. "The Art of Software Security Assessment". Chapter 12, "ActiveX Security", Page 749.. 1st Edition. Addison Wesley. 2006.
+ Content History
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Description, Relationships, Observed_Example, Weakness_Ordinalities
2010-02-16CWE Content TeamMITREInternal
updated References
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
2012-05-11CWE Content TeamMITREInternal
updated References, Relationships
2012-10-30CWE Content TeamMITREInternal
updated Potential_Mitigations
2014-07-30CWE Content TeamMITREInternal
updated Relationships

More information is available — Please select a different filter.
Page Last Updated: May 05, 2017