Half Dozen Fixes Baked Up For July Patch
Plus: What Microsoft knew about ActiveX flaws; what makes ActiveX flaws like 'Conficker'; Twitter gets down
Microsoft is preparing its six patches for release on
Tuesday but the key trend, event and subject of conversation this week will undoubtedly be ActiveX
Redmond on Monday released a security
advisory saying that a “vulnerability in Microsoft Office ActiveX controls” could allow remote
code execution (RCE) via Internet Explorer if ActiveX, a Windows framework designed for indentifying
and parsing software components, is enabled.
Monday's security advisory is the second in as many weeks. Last week the software giant issued a
separate advisory stating that a flaw in Internet Explorer's video ActiveX control could allow a
hacker to gain control of a workstation a user accesses a malicious media file on a vulnerable or
untrustworthy Web site. In its security advisory, Microsoft indentified "limited attacks" exploiting
the weakness in IE programs sitting on Windows XP and Windows Server 2003. This week, Redmond is
saying another vulnerability exists "specifically in the Spreadsheet ActiveX Control," which, if
opened during and IE browsing session, could trigger the exploit and give a hacker control of a
workstation or system.
Why is the ActiveX issue gaining traction in ITsec analyst circles and why does it remain at the top
of Redmond’s fix list? In Microsoft’s words, the function has been "deprecated" for some time. So,
how much time?
What Redmond Knew
Microsoft continues to catch heat as the week begins after it confirmed last Thursday that it has known
about ActiveX-related bugs used IE-related attacks for more than a year.
Mike Reavey, director of Microsoft's Security Response Center (MSRC), is steadily engaged in damage
control admitting in last Thursday's post that Redmond first got wind of a critical flaw in an
ActiveX control as early as spring of 2008. The bug, Reavey admitted, can be exploited through IE6
and IE7 versions on Windows XP, even though the flaws aren't inherent in IE itself.
"We'll release something that will block all known attacks next week," he wrote last Thursday in
reference to the patch rollout on July 14.
"We're on track to release the security update next Tuesday. But if you haven't implemented the
killbits already, we recommend that you go ahead and do that to protect yourself against the
attacks," Reavey wrote.
Researcher: ActiveX Flaws The Next 'Conficker'
Hyperbole is often the order of the day among security researchers and gadflies looking to make a
name for themselves, as well as hock security products and services. But the fact of the matter is
that ActiveX flaws have been around for more than a year, and as the threats remain unmitigated it's
possible that the utility of such flaws will grow among hackers as threats evolve.
Such are the sentiments of Roger Thompson, chief research officer at AVG Technologies, who made his
rounds to all kinds of different blogs and IT trade pubs last week, saying that the ActiveX flaws
are so pervasive that they could lead to being as widespread as the self-replicating Conficker worm.
As we now know, Conficker lit up workstations worldwide this past spring and caused mild hysteria
among news outlets and in the blogosphere and IT security communities.
Specifically, Thompson has said he's worried about the Microsoft Video Controller ActiveX Library,
or the msvidctl.dll file, an ActiveX control that can be accessed using Internet Explorer. That
exploit has been in circulation since early June and has yet to be patched. Just last week a
security advisory was issued for it.
It will be interesting to see what comes out in the rinse on Tuesday's rollout and how comprehensive
any ActiveX patches will be.
Aside from video files and spreadsheet controls, other recent ActiveX bugs include one outlined in a
security advisory rolled out exactly one year ago. In that case, Redmond said
that a bug enabled hackers to exploit a hole in ActiveX controls for certain components of Microsoft
Twitter Gets Proactive
The popular micro-blogging and social networking site Twitter announced that for security purposes,
it is suspending the accounts of some as-yet-undisclosed users whose computers have succumbed to
Koobface, a self-replicated malware strain that spreads through automation when an infected user
logs on to a social network.
The way it works is that once a user is logged on, Koobface deploys fake messages thereby enticing a
user's friend or follower -- depending on if its Facebook, MySpace or Twitter -- to click on a link
embedded in a fake message. It's a textbook example of phishing.
As I reported in previous posts, the heavy use of URL-shortening services on Twitter in particular
has made it nearly impossible to read the whole link, which makes it that much easier to pass off a
corrupt link as a trusted one through a message.
Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.