Slashdot Mirror
Attacks Against Unpatched Microsoft Bug Multiply
CWmike writes "Attacks exploiting the latest Microsoft vulnerability are quickly ramping up in quantity and intensity, several security companies warned today as they rang alarms about the developing threat. Symantec, Sunbelt Software, and SANS' Internet Storm Center bumped up their warnings yesterday after Microsoft announced that attackers were exploiting a bug in an ActiveX control used by IE to display Excel spreadsheets. There is no patch for the vulnerability; Microsoft didn't release one in today's Patch Tuesday. A temporary fix that sets the 'kill bits' of the ActiveX control is available, but experts believe it's likely most users won't take advantage of the protection. Symantec raised its ThreatCon ranking to the second of four steps. "We're seeing it exploited, but currently on a limited scale," said Symantec's Ben Greenbaum. Sunbelt also bumped up its ranking, to high." Firefox users can't be too complacent; Secunia is warning of a 0-day in version 3.5.
Firefox users can't be too complacent; Secunia is warning of a 0-day in version 3.5.
Well, I guess I'm safe. At my workplace, my Redhat 9 installation is incapable of running any version newer than Firefox 2.0.0.20.
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
Mod me up, cause I talked bad about Microsoft. It's the Slashdot way and you must stick with the Slashdot norms otherwise you'll look like a complete asshole.
Someone finally found a hole in a Microsoft application using a Microsoft framework opening a Microsoft application!
Nobody? OK no cream.
Apparently everyone using IE or FF 3.5 is waiting for updates before posting.
With the number of ActiveX related security issues you would have thought they would simply drop it or at least sandbox it?
Jumpstart the tartan drive.
These attacks are exploiting a flaw in an ActiveX control for displaying Excel worksheets. Right now they are just multiplying. You just know that they will eventually start adding. What happens if they start subtracting? Let's not even mention dividing at this point. God help us all...
Without an unsandboxed version of the win32 api, which is what ActiveX is, they would be unable to deny the ability to use the internet to those without a recent version of windows and office.
My head didn't stay unexploded while I wasn't unreading this unstatement.
I'm a little more militant in my opinion of ActiveX.
Dumbest idea EVER. Microsoft has tossed more money down this sinkhole of a technology trying to fill the hole. People, Companies and governments have tossed even more down the same hole fixing issues that directly arise from some ActiveX bug.
How much further along would Microsoft have been along if they had just passed over this DUMB marketing idea anyway. ( It had to come from marketing, it must have, really who else could be this dumb. )
What it's been a decade of disaster when it comes to ActiveX issues.
Guys it's a bad idea. It's lame, take it out back and shoot it. Just say out loud, "We are sorry, this will never be in another one of our products after this point."
However it has made a lot of my product buying decisions over the years a lot easier. I ask the sales nerd. "Does this product make use of ActiveX in any way? I mean even as an optional addon?". If I get the reply, "Yes", or "We are building ActiveX into the next version.". I simple end the meeting and escort them to the door and give them a complimentary donut. ( I'm getting a bit like that when the caffeinated hyper English sales guy screams, web2.0 AJAX twitter in my face when he's only talking about the product packaging. )
Back to ActiveX. Again I say, DUMBEST IDEA EVER!
Sorry I take that back. Sub-Prime Mortgages, that's the dumbest idea ever. We'll give you money at a loss, not really check your credit, and expect you to be able to repay at an insane rate in 3-5 years time. Now that's a DUMB idea.