How to tell if ActiveX vulnerabilities are exploitable in Internet Explorer

In early January you may have read posts on security distribution lists regarding two ActiveX Controls released by Microsoft. We have investigated those controls and fortunately, they are not exploitable since IE does not treat them as being safe. We wanted to give you some background on how to evaluate whether a potential vulnerability found in an ActiveX control is an exploitable condition in Internet Explorer.

Each time IE finds an embedded ActiveX control in an HTML web page, IE will perform the following checks to verify if it is safe for initialization and scripting:

* IE will determine if this ActiveX Control is kill-bitted or not. If it is, IE will not load the control.
* IE will determine if this ActiveX Control implements IObjectSafety.
* If it does, IE will query through this interface for “Safe for Initialization with data” and “Safe For Scripting”.
* If it does not implement IObjectSafety, IE will look for these properties in the registry under the following implemented categories: {7DD95802-9882-11CF-9FA9-00AA006C42C4} (Safe for Initialization) and {7DD95802-9882-11CF-9FA9-00AA006C42C4}(Safe For Scripting).

Once IE knows these two properties it will follow this logic (under the default configuration):

* IE will load the control to query its IObjectSafety interface.
* If the control does not implement IObjectSafety and does not have the Safe For Initialization or Safe For Scripting properties in the registry, IE will unload this ActiveX Control.
* If the control is Safe for Initialization, IE will instantiate it and IE can receive data through param attributes and the DATA attribute of the object html tag.
* If the control is not Safe for Scripting, IE will not script this control through JavaScript or any other scripting language.
* If this control is Safe for Scripting, IE will allow scripting of this control.