Security Watch

Half Dozen Fixes Baked Up For July Patch

Plus: What Microsoft knew about ActiveX flaws; what makes ActiveX flaws like 'Conficker'; Twitter gets down

• By Jabulani Leffall
• 07/13/2009

Microsoft is preparing its six patches for release on Tuesday but the key trend, event and subject of conversation this week will undoubtedly be ActiveX controls.

Redmond on Monday released a security advisory saying that a “vulnerability in Microsoft Office ActiveX controls” could allow remote code execution (RCE) via Internet Explorer if ActiveX, a Windows framework designed for indentifying and parsing software components, is enabled.

Monday's security advisory is the second in as many weeks. Last week the software giant issued a separate advisory stating that a flaw in Internet Explorer's video ActiveX control could allow a hacker to gain control of a workstation a user accesses a malicious media file on a vulnerable or untrustworthy Web site. In its security advisory, Microsoft indentified "limited attacks" exploiting the weakness in IE programs sitting on Windows XP and Windows Server 2003. This week, Redmond is saying another vulnerability exists "specifically in the Spreadsheet ActiveX Control," which, if opened during and IE browsing session, could trigger the exploit and give a hacker control of a workstation or system.

Why is the ActiveX issue gaining traction in ITsec analyst circles and why does it remain at the top of Redmond’s fix list? In Microsoft’s words, the function has been "deprecated" for some time. So, how much time?

What Redmond Knew
Microsoft continues to catch heat as the week begins after it confirmed last Thursday that it has known about ActiveX-related bugs used IE-related attacks for more than a year.

Mike Reavey, director of Microsoft's Security Response Center (MSRC), is steadily engaged in damage control admitting in last Thursday's post that Redmond first got wind of a critical flaw in an ActiveX control as early as spring of 2008. The bug, Reavey admitted, can be exploited through IE6 and IE7 versions on Windows XP, even though the flaws aren't inherent in IE itself.

"We'll release something that will block all known attacks next week," he wrote last Thursday in reference to the patch rollout on July 14.

"We're on track to release the security update next Tuesday. But if you haven't implemented the killbits already, we recommend that you go ahead and do that to protect yourself against the attacks," Reavey wrote.

Researcher: ActiveX Flaws The Next 'Conficker'
Hyperbole is often the order of the day among security researchers and gadflies looking to make a name for themselves, as well as hock security products and services. But the fact of the matter is that ActiveX flaws have been around for more than a year, and as the threats remain unmitigated it's possible that the utility of such flaws will grow among hackers as threats evolve.

Such are the sentiments of Roger Thompson, chief research officer at AVG Technologies, who made his rounds to all kinds of different blogs and IT trade pubs last week, saying that the ActiveX flaws are so pervasive that they could lead to being as widespread as the self-replicating Conficker worm. As we now know, Conficker lit up workstations worldwide this past spring and caused mild hysteria among news outlets and in the blogosphere and IT security communities.

Specifically, Thompson has said he's worried about the Microsoft Video Controller ActiveX Library, or the msvidctl.dll file, an ActiveX control that can be accessed using Internet Explorer. That exploit has been in circulation since early June and has yet to be patched. Just last week a security advisory was issued for it.

It will be interesting to see what comes out in the rinse on Tuesday's rollout and how comprehensive any ActiveX patches will be.

Aside from video files and spreadsheet controls, other recent ActiveX bugs include one outlined in a security advisory rolled out exactly one year ago. In that case, Redmond said that a bug enabled hackers to exploit a hole in ActiveX controls for certain components of Microsoft Access.

Twitter Gets Proactive
The popular micro-blogging and social networking site Twitter announced that for security purposes, it is suspending the accounts of some as-yet-undisclosed users whose computers have succumbed to Koobface, a self-replicated malware strain that spreads through automation when an infected user logs on to a social network.

The way it works is that once a user is logged on, Koobface deploys fake messages thereby enticing a user's friend or follower -- depending on if its Facebook, MySpace or Twitter -- to click on a link embedded in a fake message. It's a textbook example of phishing.

As I reported in previous posts, the heavy use of URL-shortening services on Twitter in particular has made it nearly impossible to read the whole link, which makes it that much easier to pass off a corrupt link as a trusted one through a message.