News

Microsoft Office ActiveX Security Flaws Disclosed

On the eve of its July security patch release, Redmond issued a security advisory on flaws in the ActiveX control function -- the second such advisory in as many weeks.

Redmond's latest off-cycle advisory addresses "a new vulnerability in Microsoft Office Web Components," specifically in the "spreadsheet ActiveX Control" that could give a hacker elevated user rights through a remote code execution attack.

The kicker is that a hacker can exploit the bug via Internet Explorer if ActiveX, which is a Windows framework designed for indentifying and parsing software components, is enabled.

The software giant said on Monday that it was aware of "limited, active attacks attempting to exploit this vulnerability."

Security analysts have tended to point to ActiveX as a potential problem. Apparently, it's now a top priority for Redmond.

"Part of the problem is that one of the two known [ActiveX] bugs was reportedly known by Microsoft for nearly a year," wrote Andrew Storms, director of security at nCircle, in an e-mailed comment. "This information is leaving many people with an unsettled feeling, and wondering just how many other critical bugs are sitting in the Windows OS just waiting to be exploited."

Mike Reavey, director of the Microsoft Security Response Center, confirmed last Thursday that Microsoft has known about ActiveX-related bugs used in IE-related attacks for more than a year, as early as spring of 2008 in fact.

Aside from video files and spreadsheet controls, other recent ActiveX bugs include one outlined in a security advisory rolled out exactly a year ago. In that case, Redmond said that a bug enabled hackers to exploit a hole in ActiveX controls for certain components of Microsoft Access.

Meanwhile, in its advisory on Monday, Microsoft said its investigation "has shown that although Internet Explorer (IE) isn't vulnerable, remote code execution is possible and may not require any user intervention when using IE."

Reavey did intimate that a fix for ActiveX would be likely on Tuesday, but he didn't specify which Windows version the fix would affect. There is already an ActiveX fix slated for a previously identified bug in DirectShow that Microsoft has on tap for Tuesday's rollout.

"If you haven't implemented the killbits already, we recommend that you go ahead and do that to protect yourself against the attacks," Reavey wrote last Thursday after the advance patch release notification.

For now, Redmond is also pointing users to a knowledgebase article link that comes with the latest advisory and outlines ways to work around the flaws. For instance, IT pros can make changes that prevent "Active Scripting and ActiveX controls from being used when reading HTML e-mail messages."

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

Featured

  • Surface and ARM: Why Microsoft Shouldn't Follow Apple's Lead and Dump Intel

    Microsoft's current Surface flagship, the Surface Pro X, already runs on ARM. But as the ill-fated Surface RT showed, going all-in on ARM never did Microsoft many favors.

  • IT Security Isn't Supposed To Be Easy

    Joey explains why it's worth it to endure a little inconvenience for the long-term benefits of a password manager and multifactor authentication.

  • Microsoft Makes It Easier To Self-Provision PCs via Windows Autopilot When VPNs Are Used

    Microsoft announced this week that the Windows Autopilot service used with Microsoft Intune now supports enrolling devices, even in cases where virtual private networks (VPNs) might get in the way.

  • Most Microsoft Retail Locations To Shut Down

    Microsoft is pivoting its retail operations to focus more on online sales, a plan that would mean the closing of most physical Microsoft Store locations.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.