|
Getting Started |
BlueZone Web-to-Host |
Though no reports of any security exposures have arisen, SEAGULL has taken a proactive approach to mitigate potential security exposures with the SEAGULL Web-to-Host Control Module. By following the recommendations of Microsoft and CERT, SEAGULL has developed our ActiveX control, paying particular attention to possible software defects we have identified, including buffer overruns, that could result in security problems.
Buffer overruns are string copies where the data copied to the buffer is longer than the buffer size. To prevent this from happening, in all instances where a string is copied to a buffer, the string is evaluated for length and compared to the length of the target buffer. If the string is too long, it is trimmed to the maximum allowable length, then copied.
The ActiveX buffer overrun exploit is executed by loading the compromised control in a script and overrunning the buffer to obtain a useable address through which malicious code can be run. The SEAGULL Web-to-Host Control Module is not marked safe for scripting and will not be loaded by the Microsoft VBScript script engine.
CERT and Microsoft also provide guidelines for the deployment and use of ActiveX controls in the enterprise to further minimize security exposures. An excellent report on ActiveX security by CERT, and another by Microsoft on designing secure ActiveX controls can be found below. Both references were used when designing our control for security.
http://www.cert.org/reports/activeX_report.pdf
http://msdn.microsoft.com/library/default.asp?url=/workshop/components/activex/security.asp