Though no reports of any security exposures have arisen, BlueZone Software has taken a proactive approach to mitigate potential
security exposures with the Web-to-Host control module. By following the recommendations of Microsoft and CERT, BlueZone
Software has developed our ActiveX control, paying particular attention to possible software defects we have identified, including
buffer overruns, that could result in security problems.
Buffer overruns are string copies where the data copied to the buffer is longer than the buffer size. To prevent this from
happening, in all instances where a string is copied to a buffer, the string is evaluated for length and compared to the length
of the target buffer. If the string is too long, it is trimmed to the maximum allowable length, then copied.
The ActiveX buffer overrun exploit is executed by loading the compromised control in a script and overrunning the buffer to
obtain a usable address through which malicious code can be run. The Web-to-Host control module is not marked safe for scripting
and will not be loaded by the Microsoft VBScript script engine.
CERT and Microsoft also provide guidelines for the deployment and use of ActiveX controls in the enterprise to further minimize
security exposures. An excellent report on ActiveX security by CERT, and another by Microsoft on designing secure ActiveX
controls can be found below. Both references were used when designing our control for security.