T 5.88 Abuse of active content

Active content means program parts or scripts executed in the browser. Common types of active content include JavaScript, Java-Applets, ActiveX elements, flash, etc. They are frequently used to make websites more interactive, to achieve special graphical effects, or to embed multimedia content.

On the other hand, active content may also have been created in a targeted manner in order to spy confidential data, to perform manipulations, or to infect the computer with malware. Attacks to the availability of the respective client are also possible. The common browsers include security mechanisms restricting the possible access for active content. However, weaknesses and possibilities for undermining these security mechanisms are frequently published.

The following aspects contribute to the execution of active content possibly resulting in security problems:

• active content can be loaded from the web and executed without any active participation of the users. The users often have no idea of the execution.
• active content can communicate with computers on the internet using default network protocols, for example SMTP. This way, confidential information may be forwarded to unauthorised persons, for example.
• for the different types of active content, there are different possibilities regarding the access to the resources of the operating system and the hardware.

Unlike Java and JavaScript, the range of functions of ActiveX-Controls hardly knows any limits. The Controls may be performed directly on the computer and may have access to the hardware and the operating system. Due to this versatile access options, the execution of ActiveX components entails a huge risk.

By configuring the browser accordingly, a user can ensure that only digitally signed ActiveX-Controls are executed. However, such a valid signature only demonstrates that the creator of the ActiveX-Controls is known to a certificate authority and that the Control provided by this creator was loaded in an unchanged condition. This does not provide any information about the mode of operation or the harmlessness of such a Control and no warranty is assumed either.