Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Warns of New Video ActiveX Vulnerability

Posted by Soulskill on from the like-one-of-those-pothole-signs dept.

ucanlookitup writes "Microsoft has warned of a 'privately reported' vulnerability affecting IE users on XP or Windows Server 2003. The vulnerability allows remote users to execute arbitrary code with the same privileges as the users. The vulnerability is triggered when users visit a web site with malicious code. 'Security experts say criminals have been attacking the vulnerability for nearly a week. Thousands of sites have been hacked to serve up malicious software that exploits the vulnerability.' The advisory can be found at TechNet. Until Microsoft develops a patch, a workaround is available."

10 of 146 comments (clear)

  1. Re:Fixes by dwieeb · · Score: 2, Informative

    Yeah, but only in Europe will IE not be bundled with Windows 7.

  2. Not privately reported by Anonymous Coward · · Score: 3, Informative

    Securityfocus has more details, including the secret identity of the 'private reporter'

  3. Re:Isolate! by abigsmurf · · Score: 2, Informative

    I'm getting as many virus alerts through Firefox now as I used to get through IE before I switched, most of them seem to be flash and pdf exploits but I've had a few occur that don't appear to be either. Yes you could potentially make Firefox safer with noscript etc. but frankly that makes for an incredibly sucky web experience (and you could turn of scripting, flash and activeX in IE too with similar results). The rise in Firefox targeted (or partially targeted) exploits, in my personal experience, has risen almost in direct proportion to the browser's popularity.

  4. Re:better workaround by L4t3r4lu5 · · Score: 2, Informative

    Supplemental: http://noscript.net/ and http://www.sandboxie.com/

    --
    Finally had enough. Come see us over at https://soylentnews.org/
  5. Re:Fixes by mcgrew · · Score: 2, Informative

    here is the fix and no, it isn't "downgrading to Vista." It disables the vulnerable parts of the OS/IE.

    --
    Free Martian Whores!
  6. There is a difference - attack surface by WD · · Score: 4, Informative

    It is true that an ActiveX and NSAPI plug-ins are both native code and can have the same risks. But the big difference is attack surface. Code needs to very explicitly be written as a NSAPI plug-in. However, most Windows components are by default a COM object, and perhaps controlable by Internet Explorer if the developer so chooses (traditionally referred to as an ActiveX control).

    So a typical Firefox installation may have a half dozen or so plugins available, and they may have vulnerabilities. But a typical IE installation has literally thousands of COM objects at its disposal (A bare Windows XP installation has over 2500 COM objects). And those objects may have vulnerabilities as well.

    So play the numbers. IE's close integration with the OS means that it has a larger attack surface. While isolation and privilege separation is a good idea, the actual reason that Vista and 2008 are unaffected are *not* because of low-rights IE. IE on those platforms treats the ActiveX interaction required by the exploit as "unsafe" and is blocked. (Rather than allowing the exploit to occur but "neutering" it by giving it low rights).

    1. Re:There is a difference - attack surface by TheRealMindChild · · Score: 2, Informative

      An "ActiveX control" is a COM object with a certain group of interfaces... all COM objects are not ActiveX controls.

      The vulnerability here comes from, NOT necessarily the oodles of known COM libraries on every Windows system. It isn't REALLY about the fact that you can CreateObject("COMObject.OfMyChoice") on these already known objects... it's all that wrapped together with a COM object that has a .ExecuteMyCode() type method.

      --

      "When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
  7. Re:Hi, I'm a mac by Em+Emalb · · Score: 2, Informative

    It can. Made the change to our GPOs, and it's rolling out now. Having an issue with terminal server users, the installer is trying to install for every user that accesses the box (as intended, I guess) but none of our users have admin rights so it's bombing out....that's a simple fix though, just exclude any terminal server you might have and patch it manually.

    So, to answer my own question, yeah, it's easy to script it.

    --
    Sent from your iPad.
  8. Informative? More like "+1, Sounds Kinda Right." by Anonymous Coward · · Score: 2, Informative

    Wrong on two counts:

    1. Every ActiveX object is a COM object, but not every COM object is an ActiveX object. This is not a pedantic distinction.

    2. IE is no more integrated with the OS than Webkit is in KDE: the rendering libraries are considered part of the OS, and the plugin mechanism previously discussed operates there as well.

    Please know more about the technology before making unfounded assertions.

  9. Re:Oh well. by that+IT+girl · · Score: 2, Informative

    Ugh, this is the case for--get this--our HR and payroll website.
    iemployee.com
    IE only.
    Yes, I AM afraid.

    --
    10 FILL MUG WITH COFFEE
    20 DRINK COFFEE
    30 GOTO 10