Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Nation-State

Critical Vulnerabilities Plague South Korean ActiveX Controls

Tens of very basic but Critical vulnerabilities were found in 10 South Korean ActiveX controls as part of a short research project, security researchers with Risk Based Security say. 

Tens of very basic but Critical vulnerabilities were found in 10 South Korean ActiveX controls as part of a short research project, security researchers with Risk Based Security say. 

Although considered obsolete and unsafe, ActiveX technology is still used by many South Korean websites, including many government sites, and will likely continue to be used for a while longer. 

The reason for that is a 20-year old law that mandated the use of Internet Explorer and asked users to allow ActiveX controls to run, particularly on government, banking, and education websites.

Although the South Korean government decided to lift the mandatory use of ActiveX technology in 2014, and even took steps to eliminate ActiveX controls from government websites four years ago, many continue to rely on ActiveX. Currently, the goal is to eliminate the technology from all government websites by 2020.

Until that happens, however, South Korean users are still dependent on ActiveX technology, and they remain exposed to the inherent risks of safe-for-scripting ActiveX controls, Risk Based Security points out. 

In the beginning of the year, the security researchers started looking into vulnerabilities in ActiveX controls by employing both fuzzing and in-depth reverse engineering. They eventually stopped after finding 40 vulnerabilities across the 10 most popular ActiveX controls (out of 100). 

“The discovered vulnerabilities were all very basic: various types of buffer overflows and unsafe exposed functionality that allowed executing code on users’ systems. There was no need to make a greater effort to find more complex ones,” the security researchers say.

Advertisement. Scroll to continue reading.

Risk Based Security also explains that at the time of the analysis, the investigated ActiveX controls were available from websites for different organizations, “including a bank, a major financial company, a major technology company, some universities, and a government entity.”

Some of the impacted organizations are HandySoft, Naracontent Co,. Ltd, Korean Intellectual Property Office (KISA), Samsung Securities, INITECH Co., Ltd., Innorix, and Korea Educational Broadcasting Corporation (EBSi).

The security researchers say that in early February they alerted the Korea Internet & Security Agency (KISA) of these issues. The Agency has worked with the impacted vendors to either address the issues or deprecate the vulnerable ActiveX controls and remove them from the impacted websites.

“It seems 2020 can’t come fast enough for the South Koreans. It’s evident that they’re not only relying on antiquated technology, but their ActiveX controls are just as unsafe as the ones used elsewhere many years ago,” Risk Based Security concludes. 

Related: North Korean Hackers Launch New ActiveX Attacks

Related: North Korean Hackers Abuse ActiveX in Recent Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.