An ActiveX control allows users to connect to and control a computer program that runs on the computer without having to install it. ActiveX controls can either be written by programmers who are using Microsoft’s ADO or DAO object models, or they can be created in Visual Basic 6.0, Visual J#, and Excel – all of which use the underlying COM interfaces. The goal of ActiveX control is often to provide a graphical user interface for interacting with a database application or other service that is difficult for non-technical users to use through shell commands.

How do ActiveX Controls Work?

To work, an ActiveX control needs to be installed on the computer. This can be done by installing a control from a company’s Website or by a user installing the control from an application that contains the control. An ActiveX control is also installed by any program that hosts the control using an ActiveX control host. A Control host is software (usually part of Windows) that hosts ActiveX controls and shares information about those controls with other programs. For example, if you install Microsoft Visio and then install Microsoft Visio Viewer, both programs can access and display the Visio objects in your Visio files.

Working of ActiveX controls:

• ActiveX’s controls are typically used to provide interfaces to data and applications. 
• For example, one of the most common uses is to host a visualization control that can display a document on a Web page, where the document is normally represented in an HTML file. 
• When you want to preview or print the document, you use it from within your browser. 
• ActiveX’s controls are vulnerable to several kinds of attacks. 
• The most dangerous attacks involve code injection, which occurs when one program gains access to the memory space of another program. The main way this happens is when you enter a Website that contains malicious content and your browser can’t interpret it properly. 
• If the Website contains an ActiveX control that your browser doesn’t know how to handle, then it may try to load or run this control from the hard disk (which results in accessing your hard disk and executing the attacker’s code).

Attacking ActiveX Controls Technique: 

This technique is used to exploit software that contains ActiveX components. This can be done by sending a specially crafted web page that has codes in it that are embedded with ActiveX control and then sending this out to the user. When the user opens this web page, the attacker will have access to the control and execute any command on it.

Prevention:

In order for malware not to use ActiveX Control, we opt for using HTML 5 for the browser plugin. In 2015, Microsoft announced that they would be removing support for ActiveX from its Edge Browser and Chrome removed support earlier in 2018 as well. The weaknesses of ActiveX controls have been exploited by malicious users and the attacks have been increasing. The Microsoft Edge browser will not be supporting the ActiveX Controls starting in June 2019.

This technique is used to exploit codes that are embedded with a control on a web page, and then it gathers information from the computer so that cybercriminals can obtain all required information from the computer. The details of the information which is being gathered include The IP address of the computer, Operating System and browser information, Windows version, and authentication type. This technique can be prevented by making sure that no browser has been left on in the background as inputs are taken through web browsers when they are off.

The exploitation method used to execute code on a victim’s machine is known as an “active” exploit. The active exploit takes advantage of security flaws in a system’s program or application; it is designed to leapfrog over a software vulnerability that requires user interaction in order to exploit it. These types of exploits are rarely available to the public and are often held for the exclusive use of antivirus and security vendors, who work with software manufacturers to patch vulnerable code. The most notable of these was the Windows Metafile vulnerability, which was used in 2004 by the mass email worm “Sober”.

It is possible for malware to actively exploit a vulnerability without insider knowledge. For example, when a website containing vulnerable Flash or Java content is visited by an end user with vulnerable plugins installed, an active attack may occur. Note that this is not considered an “ActiveX” attack because it does not entail the exploitation of ActiveX vulnerabilities directly (even though ActiveX was involved in the infection).

Countermeasures: 

• Modern web browsers are more secure than previous versions and can be configured to prevent malicious content from executing.
• ActiveX is no longer an issue with modern browsers, however, JAVA and Flash still pose risks. 
• A study into this issue revealed that a “virus” already exists on Microsoft Windows and is known as “”zJSS””. This virus is able to carry out two types of attacks: “Code Generation” (Oracle Java Compiler) and Content Injection. 
• This virus can cause instances of your computer’s system files to become corrupted and unusable, and it can spread by itself either via the HTTP protocol, email or USB drives. 
• In order for the virus to spread, you must have Java-enabled browsers such as Internet Explorer, Firefox, and Google Chrome.
• Despite the lack of ActiveX controls in browsers today, the only defense against this attack is to not visit suspicious websites. The user must also ensure that they are using an updated version of their browser, as newer versions have better protection against this kind of attack.