Security Watch

Microsoft Sounds the Alarm on ActiveX Flaw

Plus: hackers aren't letting up on DirectShow; Microsoft helps defend against XSS; Apple and Mozilla work on patches.

• By Jabulani Leffall
• 07/07/2009

Just before July's patch rollout and after last month's staggeringly girthy patch release, Microsoft finds itself addressing several lingering security issues.

First up, on Monday Redmond issued Security Advisory 972890, where it discussed a fresh bug in Microsoft's video ActiveX control in Internet Explorer (IE).

"Our investigation has shown that there are no by-design uses for this ActiveX Control within Internet Explorer," the advisory said. "Therefore, we recommend that all customers implement the workarounds outlined in the Security Advisory."

Microsoft indentified several workarounds, including leveraging "enhanced security configuration" methods to separate client-side or local-workstation Web surfing from server-side Internet access. The company said this is "a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone." Another more prominent workaround involves preventing the video ActiveX control from running in IE. In doing this, the advisory said that there would be no operational "impact to application compatibility."

The bug affects Windows XP and Windows Server 2003 but not Windows Vista and Windows Server 2008, Microsoft said, while implying that IT pros working with IE on all operating systems should go ahead and implement the workarounds just in case.

More Hacker Malice Directed at DirectShow
While the fireworks popped during the holiday weekend, the hackers also got it popping while staffers were on vacation. News emerged this week that thousands of legitimate Web sites were hacked via an exploit in a still-unpatched vulnerability in Windows DirectShow.

According to Denmark-based security outfit CSIS Security Group, the bug is in an ActiveX control, the "msvidctl.dll" file which -- like the vulnerability for which Microsoft issued the security advisory -- streams video content.

For those looking for more information on the "drive-by" attacks on DirectShow that CSIS said it captured, like some technical illustrations of the hacks, as well as a cursory lesson in Danish, the company's Web site offers all of these things.

This isn't the first time we've seen DirectShow exploits. In May, just after Memorial Day, Microsoft issued a security advisory detailing what was identified then as a zero-day bug in DirectShow that could enable remote code execution attacks. In that advisory, Microsoft said the vulnerability could be triggered if an unsuspecting user opens a specially crafted media file. A hacker successfully deploying this bug could increase his user rights privileges within a Windows-based network.

I wrote last month about the ITSEC community's chagrin over the fact that DirectShow wasn't patched after the May advisory. In fact, Symantec said in late June that unpatched bugs have been added to a multistrike attack toolkit. "This will likely lead to widespread use in a short time," wrote Liam Murchu, a researcher with Symantec's security response group, on the company's blog last month.

The DirectShow show continues...

Microsoft Offers Tool for Cross-Site Scripting Attacks
While on the subject of Web-based attacks, cross-site scripting (XSS) exploits aren't going anywhere as a hacker vector. In that vein, Microsoft is offering help to Web developers and security administrators in the form of the Anti-Cross Site Scripting Library version 3.0 (Anti-XSS V3.0).

Redmond is describing the tool as "an encoding library" that uses a whitelisting technology for good code rather than a blacklist for bad code. This approach, Microsoft said, "works by first defining a valid or allowable set of characters, and encodes anything outside this set."

This comes about seven months after the software giant released the beta version of this XSS prevention tool.

The standard diagnosis with XSS bugs can be detected if a Web site's HTML and related coding aren't properly validated before or during a data transmission that calls up the URL. XSS attacks aren't exclusive to IE; they're also becoming more prevalent in Mozilla's Firefox, Google's Chrome and other Internet browsers. So stay tuned -- there's more to come.

Apple, Mozilla Work on Patches
Apple is spending this week working on a fix for an application-level hole in its popular iPhone that would let hackers remotely install and run unvetted code on the phone if a user opens text messages or links that have malicious coding embedded in them.

Specifically, hackers could theoretically exploit the way iPhones handle text messages received via Short Message Service (SMS) according to security researcher Charlie Miller's presentation at the recent SyScan conference in Singapore. While Miller didn't disclose the technical aspects of the hack, he did say Web-enabled smartphones will be increasingly vulnerable to remote execution-style attacks.

Meanwhile, Mozilla announced its first patch for the recently released Firefox 3.5 browser. Mozilla is looking to stave off vulnerabilities in its JavaScript-based TraceMonkey surf engine, which is said to crash the most. Because the Mozilla Foundation is an open source community, it doesn't have a formal patch rollout and monitoring apparatus, so most of the details in its advisory are so granular that only a security admin or a Web developer familiar with Firefox can really make it out.

Suffice it to say, the level of detail is what makes it all the more important to Windows enterprise professionals who've installed Firefox on Windows to either augment or supplement IE.