Path: csiph.com!eeepc.pasdenom.info!news.pasdenom.info!news.dougwise.org!gegeweb.org!de-l.enfer-du-nord.net!feeder2.enfer-du-nord.net!fu-berlin.de!uni-berlin.de!news.dfncis.de!not-for-mail From: Lars Uffmann Newsgroups: comp.lang.basic.visual.misc Subject: mscomctl.ocx and comctl32.ocx invoking third party executables? Date: Thu, 03 Feb 2011 15:53:17 +0100 Lines: 56 Message-ID: <8qvtngFppsU1@mid.dfncis.de> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Trace: news.dfncis.de 38lYoTcWVPy4hkHklQZ5TwCx+iABstKJuURYqLFlXuLKI4v5yDQGGFntx0 Cancel-Lock: sha1:gqkxe4o7uG0D+VNfElYBM1YuzUI= User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) Xref: csiph.com comp.lang.basic.visual.misc:1823 Hey everyone! I stumbled upon this behaviour which has me somewhat concerned about possible exploits: OS: - WinXP Professional SP3 english - security patches up to date as of 2011-02-03 Office Version: 2003 When inserting any ActiveX control contained in either mscomctl.ocx or comctl32.ocx into an office document, the installer of a proprietary software, that I sadly can not share (as much as I would like to have someone reproduce this issue) is invoked. The installer pops up with a "reconfiguring ..." dialog, not allowing the user any options other than to cancel the process. After that (aborting or letting it finish), the ActiveX control is inserted into the document and behaves as expected. This usually happens twice, after which the control behaves as expected without invoking that installer. Some times the installer is invoked twice in a row upon one insertion of ActiveX control, sometimes it happens a few more times - but mostly the aforementioned two times. If the window loses focus (does not work with alt-tabbing, does work with e.g. launching task manager or windows explorer and switching back to the office application), the unwanted behaviour returns. The comctl32.ocx on a standard windows xp (SP3) will complain that it's not licensed properly and not insert the ActiveX component selected, however, it will still induce the unwanted behaviour of invoking the third party software installer. I have checked the file version of mscomctl.ocx before vs. after installation of that third party software. The md5sum stays the same. I take that to mean that it is not modified by the installation. Reproducible with: Microsoft ProgressBar Control 6.0 (SP4), also with ListView, ImageList and TreeView as well as a couple others, tested in MS Word, Access, Excel NOT reproduciple in MS Powerpoint! ***Now my question:*** Can anyone list the means by which an ActiveX control can invoke some third party software upon first time being loaded? Given that it does not know about the third party software (and no dependency), and that this is completely unwanted behaviour, I would like someone with more understanding than I have to tell me whether this means that there is a hook in that common control library that will allow unwanted execution of code, or only installed code, or not at all. Thank you! Lars