Total Tests:

CWE Glossary

CWE is a trademark of the MITRE Corporation.

Stay in Touch

Get exclusive updates and invitations to our events and webinars:

Your data will stay confidential Private and Confidential

Exposed Unsafe ActiveX Method [CWE-618]

Exposed Unsafe ActiveX Method weakness describes exposure of dangerous ActiveX methods that perform actions outside the browser's security model.

Exposed Unsafe ActiveX Method [CWE-618]

Created: September 11, 2012
Latest Update: December 15, 2020

Table of Content

  1. Description
  2. Potential impact
  3. Attack patterns
  4. Affected software
  5. Severity and CVSS Scoring
  6. Mitigations
  7. References
  8. Latest Related Security Advisories

Want to have an in-depth understanding of all modern aspects of
Exposed Unsafe ActiveX Method [CWE-618]? Read carefully this article and bookmark it to get back later, we regularly update this page.

1. Description

This weakness occurs when an ActiveX control is marked as safe for initialization and safe for scripting and contains dangerous methods which could be used to perform unauthorized actions on user's system. ActiveX control is a COM object intended to bring additional functionality to Internet Explorer. As a result it might receive input from an untrusted source, e.g. a webpage, and incorrectly handle it. Buffer errors in methods are also considered unsafe exposure and are topic for discussion within scope of this weakness.

The following example demonstrates initialization of the NMSDVDX.DVDEngineX.1 (NMSDVDXU.dll) ActiveX control in browser which uses unsafe EnableLog() method to create a logfile in arbitrary location on the system:

  1. <html>
  2. <object classid="clsid:C2FBBB5F-6FF7-4F6B-93A3-7EDB509AA938" id="target"></object>
  3. <input language=VBScript onclick=Boom() type=button value="Exploit">
  4. <script language = "vbscript">
  5. Sub Boom()
  6. arg1="FilePath\File_name_to_corrupt_or_create"
  7. arg2=True
  8. target.EnableLog arg1 ,arg2
  9. End Sub
  10. </script>
  11. </html>

An attacker can use first argument of the vulnerable method to pass full path to the file and overwrite it with some content, and eventually corrupt it.

2. Potential impact

An ActiveX control can be equipped with different functionalities depending on the purpose of the control. The maximum potential impact is limited by its functionality. In worst case scenario an attacker might be able to execute arbitrary code on the target system with privileges of the current user.

How to Detect Exposed Unsafe ActiveX Method Vulnerabilities
Website Security Test
  • GDPR & PCI DSS Test
  • Website CMS Security Test
  • CSP & HTTP Headers Check
  • WordPress & Drupal Scanning
Try For Free

3. Attack patterns

ActiveX control can be subject to different attack patterns which depend on the functionality of the control and its implementation.

4. Affected software

ActiveX controls that are marked as safe for initialization and safe for scripting are potentially vulnerable for this weakness. They can be introduced to the system by different software. In Internet Explorer use Tools->Manage Add-ons browser menu to see which ActiveX controls are available on the system and could be initialized in browser.

5. Severity and CVSS Scoring

This weakness should be scored depending on the maximum possible impact. Keep in mind that small user interaction is needed to exploit this vulnerability (e.g. a user must visit a specially crafted webpage), so the access complexity score should be medium: AC:M. If an attacker can create files on the target system with arbitrary content and in arbitrary locations, he may also create a file in a startup directory, which will be executed when user reboots his system. In this case, it is a remote code execution vulnerability and it should be scored as:
9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C) - Critical severity.

We use CVSSv2 scoring system in our HTB Security Advisories to calculate the risk of the discovered vulnerabilities. Not all of the vulnerabilities are scored in strict accordance to FIRST recommendations. Our CVSSv2 scores are based on our long internal experience in software auditing and penetration testing, taking into consideration a lot of practical nuances and details. Therefore, sometimes they may differ from those ones that are recommended by FIRST.

6. Mitigations

For developers:
  • When possible avoid marking the control as safe for scripting.
  • Perform validation of input on all arguments and protect them against all possible vulnerabilities.
  • When possible whitelist domains that can initialize the control.

For end-users:

The only way for an end-user to protect his computer in case of existing vulnerability is to set a kill-bit on the control or disable it through the Manage Add-ons browser menu. In order to reduce the chances to be a victim of this type of attack do not trust unsigned activex controls.

7. References

  1. CWE-618: Exposed Unsafe ActiveX Method []
  2. Not safe = not dangerous? How to tell if ActiveX vulnerabilities are exploitable in Internet Explorer []
  3. Safe Initialization and Scripting for ActiveX Controls []

8. Exposed Unsafe ActiveX Method Vulnerabilities, Exploits and Examples

Copyright Disclaimer: Any above-mentioned content can be copied and used for non-commercial purposes only if proper credit to ImmuniWeb is given.

↑ Back to Top
Book a Call Ask a Question
Talk to ImmuniWeb Experts
ImmuniWeb AI Platform
Have a technical question?

Our security experts will answer within
one business day. No obligations.

Have a sales question?
Tel: +41 22 560 6800 (Switzerland)
Tel: +1 720 605 9147 (USA)
Your data will stay private and confidential