Microsoft Probing ActiveX Bug in Internet Explorer

Microsoft continues to investigate a new vulnerability revealed at the top of the week regarding an ActiveX control component in Internet Explorer. The software giant issued a security advisory on Monday to that effect.

At the heart of the bug is a flaw in Internet Explorer's video ActiveX control that could allow a hacker to gain control of a workstation if a malicious media file on a vulnerable or untrustworthy Web site is accessed by a user.

In its security advisory, Microsoft indentified "limited attacks" exploiting the weakness in IE programs sitting on Windows XP and Windows Server 2003.

"Looks like ActiveX strikes again," said Andrew Storms, director of security at nCircle. "While the tidal wave of ActiveX issues seemed to have slowed in recent years, veterans of Microsoft security will recall the endless headaches caused by ActiveX vulnerabilities in the not too distant past."

Recent ActiveX bugs include one outlined in a security advisory rolled out exactly a year ago. In that case, Redmond said that a bug enabled hackers to exploit a hole in ActiveX controls for certain components of Microsoft Access.

"This time, Microsoft claims that there are no by-design uses for this ActiveX Control," Storms said. "This leaves security professionals wondering why Microsoft chose to leave the ActiveX control available anyway."

To Microsoft's credit, the difference between last year and this year is its attention to detail. The software giant said Windows Vista and Windows Server 2008 users aren't touched by the vulnerability but that as a precautionary measure, IT pros working with all operating systems should  "implement [the advisory workarounds] as a defense-in-depth measure."

Indeed, Redmond offered many workarounds to this IE ActiveX bug. A couple of them involve merely adjusting IE settings. For instance, administrators can choose to run IE in a restricted mode allowing enterprise-level enhanced security configuration methodology to separate client-side or local workstation Web surfing from server side Internet access. Redmond said this is "a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone."

Another workaround involves preventing the Microsoft video ActiveX control from running in Internet Explorer. In doing this, the advisory said that there would be no operational "impact to application compatibility."

To that end, nCircle's Storms and others, such as Shavlik Technologies Chief Technology Officer Eric Schultze, laud the thorough workaround approach Redmond has taken with what has been a persistent threat in ActiveX vulnerabilities.

"Corporations and some end users may be protected via their antivirus solutions," Schultze explained. "For all others, I recommend the Microsoft Fix-It tool on their Web site -- this is a very simple and easy way for users to protect themselves."

For his part, Storms said the key positive with this latest security advisory is the "excellent set of workarounds."

"Mitigation information like this demonstrates what the industry standard should be in security bulletin information," he said.

Microsoft's security bulletin explains that the company is "currently working to develop a security update for Windows to address this vulnerability" and will release it when ready for public distribution.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.


  • Microsoft and SAP Enhance Partnership with Teams Integration

    Microsoft and SAP this week described continuing partnership efforts on Microsoft Azure, while also planning a Microsoft Teams integration with SAP's enterprise resource planning product and other solutions.

  • Blue Squares Graphic

    Microsoft Previews Azure IoT Edge for Linux on Windows

    Microsoft announced a preview of Azure IoT Edge for Linux on Windows, which lets organizations tap Linux virtual machine processes that also work with Windows- and Azure-based processes and services.

  • How To Automate Tasks in Azure SQL Database

    Knowing how to automate tasks in the cloud will make you a more productive DBA. Here are the key concepts to understand about cloud scripting and a rundown of the best tools for automating code in Azure.

  • Microsoft Open License To End Next Year for Government and Education Groups

    Microsoft's "Open License program" will end on Jan. 1, 2022, and not just for commercial customers, but also for government, education and nonprofit organizations.

comments powered by Disqus