Security researchers at Risk Based Security have discovered tens of critical vulnerabilities in 10 South Korean ActiveX controls as part of a research project.
The experts discovered that many South Korean websites still use ActiveX controls, including many government sites, despite the risks associated with the use of this technology.
The websites still use the technology because of a 20-year old law that mandated the use of Internet Explorer and asked users to allow ActiveX controls to run. Microsoft no longer supports ActiveX in Microsoft Edge, which is the default recommended default browser over Internet Explorer.
According to research conducted by experts at IssueMakersLab, since 2007 and up to 2018, North Korea linked attacks exploited a large number of zero-day flaws in commonly used ActiveX.
In 2014, the South Korean government decided to lift the mandatory use of ActiveX controls, unfortunately many websites still continue using them. South Korea aims at eliminating the technology from all government websites by 2020.
“At the beginning of 2019, we did some research into South Korean ActiveX controls previously exploited in 0-day attacks, resulting in the discovery of, among other things, an incomplete fix for one of them.” reads the analysis published Risk Based Security firm. “During this process, we also obtained a repository of about 100 South Korean ActiveX controls.”
Security researchers searched for vulnerabilities in ActiveX controls since January 2019 and found 40 vulnerabilities across the 10 most popular controls. Experts spotted the flaws by approaching combined fuzzing of the controls with in-depth reverse engineering of the most popular ones
“The discovered vulnerabilities were all very basic: various types of buffer overflows and unsafe exposed functionality that allowed executing code on users’ systems. There was no need to make a greater effort to find more complex ones,” the researchers explained.
The experts found several types of flaws including buffer overflows and unsafe exposed functionality that could be exploited to execute code on users’ systems.
The flawed ActiveX controls were available from websites for different organisations including a bank, a major financial company, a major technology company, some universities, and a government entity.
The security reported the issue to the Korea Internet & Security Agency (KISA) in early February.
The Agency reported the issues to the impacted vendors and helped them address the vulnerabilities and remove the vulnerable ActiveX.
“It seems 2020 can’t come fast enough for the South Koreans. It’s evident that they’re not only relying on antiquated technology, but their ActiveX controls are just as unsafe as the ones used elsewhere many years ago,” Risk Based Security concludes.