Critical Vulnerabilities Plague South Korean ActiveX Controls

Tens of very basic but Critical vulnerabilities were found in 10 South Korean ActiveX controls as part of a short research project, security researchers with Risk Based Security say. 


Although considered obsolete and unsafe, ActiveX technology is still used by many South Korean websites, including many government sites, and will likely continue to be used for a while longer. 


The reason for that is a 20-year old law that mandated the use of Internet Explorer and asked users to allow ActiveX controls to run, particularly on government, banking, and education websites.


Although the South Korean government decided to lift the mandatory use of ActiveX technology in 2014, and even took steps to eliminate ActiveX controls from government websites four years ago, many continue to rely on ActiveX. Currently, the goal is to eliminate the technology from all government websites by 2020.


Until that happens, however, South Korean users are still dependent on ActiveX technology, and they remain exposed to the inherent risks of safe-for-scripting ActiveX controls, Risk Based Security points out. 


In the beginning of the year, the security researchers started looking into vulnerabilities in ActiveX controls by employing both fuzzing and in-depth reverse engineering. They eventually stopped after finding 40 vulnerabilities across the 10 most popular ActiveX controls (out of 100). 


“The discovered vulnerabilities were all very basic: various types of buffer overflows and unsafe exposed functionality that allowed executing code on users’ systems. There was no need to make a greater effort to find more complex ones,” the security researchers say.


Risk Based Security also explains that at the time of the analysis, the investigated ActiveX controls were available from websites for different organizations, “including a bank, a major financial co ..