Microsoft Probing ActiveX Bug in Internet Explorer

Microsoft continues to investigate a new vulnerability revealed at the top of the week regarding an ActiveX control component in Internet Explorer. The software giant issued a security advisory on Monday to that effect.

At the heart of the bug is a flaw in Internet Explorer's video ActiveX control that could allow a hacker to gain control of a workstation if a malicious media file on a vulnerable or untrustworthy Web site is accessed by a user.

In its security advisory, Microsoft indentified "limited attacks" exploiting the weakness in IE programs sitting on Windows XP and Windows Server 2003.

"Looks like ActiveX strikes again," said Andrew Storms, director of security at nCircle. "While the tidal wave of ActiveX issues seemed to have slowed in recent years, veterans of Microsoft security will recall the endless headaches caused by ActiveX vulnerabilities in the not too distant past."

Recent ActiveX bugs include one outlined in a security advisory rolled out exactly a year ago. In that case, Redmond said that a bug enabled hackers to exploit a hole in ActiveX controls for certain components of Microsoft Access.

"This time, Microsoft claims that there are no by-design uses for this ActiveX Control," Storms said. "This leaves security professionals wondering why Microsoft chose to leave the ActiveX control available anyway."

To Microsoft's credit, the difference between last year and this year is its attention to detail. The software giant said Windows Vista and Windows Server 2008 users aren't touched by the vulnerability but that as a precautionary measure, IT pros working with all operating systems should  "implement [the advisory workarounds] as a defense-in-depth measure."

Indeed, Redmond offered many workarounds to this IE ActiveX bug. A couple of them involve merely adjusting IE settings. For instance, administrators can choose to run IE in a restricted mode allowing enterprise-level enhanced security configuration methodology to separate client-side or local workstation Web surfing from server side Internet access. Redmond said this is "a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone."

Another workaround involves preventing the Microsoft video ActiveX control from running in Internet Explorer. In doing this, the advisory said that there would be no operational "impact to application compatibility."

To that end, nCircle's Storms and others, such as Shavlik Technologies Chief Technology Officer Eric Schultze, laud the thorough workaround approach Redmond has taken with what has been a persistent threat in ActiveX vulnerabilities.

"Corporations and some end users may be protected via their antivirus solutions," Schultze explained. "For all others, I recommend the Microsoft Fix-It tool on their Web site -- this is a very simple and easy way for users to protect themselves."

For his part, Storms said the key positive with this latest security advisory is the "excellent set of workarounds."

"Mitigation information like this demonstrates what the industry standard should be in security bulletin information," he said.

Microsoft's security bulletin explains that the company is "currently working to develop a security update for Windows to address this vulnerability" and will release it when ready for public distribution.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

comments powered by Disqus

Reader Comments:

Thu, Jul 9, 2009 Billy Alabama

Again, I see, that bigger is not always better, and, that it is hardly ever honest. I'm sure if MS knew about this thing that long ago, they have fixed it. But, as is the custom in the "enterprising' corporations, it's for sale at "a discounted rate for loyal customers". Well that's just more hogwash from the enterprise giants!

Wed, Jul 8, 2009 Irene

My suggestion is to download Firefox 3.5 and make it your default browser. It is WAY better than IE and does not use ActiveX controls. Forget you ever knew Internet Explorer.

Wed, Jul 8, 2009 Ahmad Bahrain

I can't open an attached file to my e-mail, or attach any file to my e-mail message. or download or upload any file from my computer only

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.