Slashdot Mirror

← Back to Stories (view on slashdot.org)

Attacks Against Unpatched Microsoft Bug Multiply

Posted by kdawson on from the how-not-to-excel dept.

CWmike writes "Attacks exploiting the latest Microsoft vulnerability are quickly ramping up in quantity and intensity, several security companies warned today as they rang alarms about the developing threat. Symantec, Sunbelt Software, and SANS' Internet Storm Center bumped up their warnings yesterday after Microsoft announced that attackers were exploiting a bug in an ActiveX control used by IE to display Excel spreadsheets. There is no patch for the vulnerability; Microsoft didn't release one in today's Patch Tuesday. A temporary fix that sets the 'kill bits' of the ActiveX control is available, but experts believe it's likely most users won't take advantage of the protection. Symantec raised its ThreatCon ranking to the second of four steps. "We're seeing it exploited, but currently on a limited scale," said Symantec's Ben Greenbaum. Sunbelt also bumped up its ranking, to high." Firefox users can't be too complacent; Secunia is warning of a 0-day in version 3.5.

3 of 122 comments (clear)

  1. kill bits by HTH+NE1 · · Score: 5, Informative

    A temporary fix that sets the 'kill bits' of the ActiveX control is available, but experts believe it's likely most users won't take advantage of the protection.

    Well, Computer World (and CWmike in particular), perhaps more users would take advantage of the protection if you would provide them a link telling them how when you first mention it rather than wait until the end of the article where they may not associate it as being the aforementioned solution.

    --
    Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
  2. My solution for ActiveX (no, not installing Linux) by istartedi · · Score: 5, Informative

    I use the IE security settings. Yes. It works. The only real problem with it, is that they are a bit convoluted for ActiveX. I had to slow down and think before I got what I wanted, which is essentially to have any web site that wants to run ActiveX prompt me, and then I can choose to accept (but virtually never do).

    Notice to web developers: If your site requires ActiveX, and it's not an absolutely essential service from a company that I can yell at, I will go someplace else. IIRC, I have one online financial service that fits that category.

    Otherwise, I DON'T NEED ACTIVEX. NOBODY REALLY DOES. ANYTHING WORTH DOING CAN BE DONE WITHOUT IT.

    And yes, that's shouting. It needs to be shouted loud enough for these people to hear it. It needs to be shouted again, and again. ActiveX belongs with IE6. Actually, it should have been killed off many revs before that. It should have been shot down by somebody who countered the suggestion at the very first meeting where it was discussed. Maybe somebody had the flu that day.

    --
    For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
  3. They have by Sycraft-fu · · Score: 5, Informative

    If you go read the notice, you find out that Vista and Server 2008 aren't affected. Reason is that IE has a sandbox mode on those OSes (Windows 7 too) for things like that. However, it relies on changes to the OS so it hasn't been backported to XP and I don't know that it could be easily.

    So yes, they have sandboxed ActiveX, but it applies to newer versions of Windows only.