Microsoft's Urgent Patch Precedes Black Hat Session

Julie188 writes "Mystery solved! Microsoft's latest emergency out-of-band patch was weird beyond belief. A notice was sent to journalists and researchers late Friday evening that the patch was coming Tuesday, but Microsoft refused to explain the flaw and even put a cone of silence around researchers who would have otherwise talked about it. But finally, one researcher broke ranks and explained that the patch was caused by a flaw introduced in Microsoft's own development tools. This flaw was also the source of the emergency ActiveX patch, which took about 18 months to complete and which supposedly fixed the problem by turning off ActiveX (setting a 'killbit' on the control). Researchers at Black Hat on Wednesday will be demonstrating how to override the killbit controls and get access to vulnerabilities supposedly stopped with a killbit. What's really scary is that Microsoft has issued 175 killbits fixes so far."

sensationalist much?

[timmarhy]

yes activex sucks, anyone who doesn't know this already has rocks in their head, but calling a patch "weird beyond belief"? MS gets wind of security hole that might be really bad, patches it urgently.

damned if they do damned if they dont?

Re:Imagine.

[bstreiff]

So you're contrasting OS upgrade fees for OS X... versus not upgrading Windows.

Guess what? There are upgrade fees to go from XP to Vista to 7, too.

Re:It's the commonality.

[DavidTC]

Strictly speaking, the GP is right. The reason that ActiveX is more vulnerable than Firefox is there are a lot more ActiveX controls than Firefox plugins. (Not to be confused with Firefox Addons, which seem to be fairly secure, and are pieces of javascript. Firefox plugins are things like the PDF viewer that Acrobat installs, etc.)

However, the reason there are a lot more ActiveX controls is a, tada, bad design. It's because ActiveX fundamentally lets you embed all sorts of stuff that came with the operating system and random applications and were not designed to be controlled by a web page. Stuff around from before web browsers!

So Microsoft has to kill each of these, one at a time. That's what the '175 killbits' is talking about....something like 125 of those were on things that it should not have been possible to load in a web browser anyway, but Microsoft decided it would be great fun if you could load all those fancy new signed-DLLs-under-another-name in a web browser. And companies that had been putting out ActiveX controls and had never had to worry about security before, because they were selling a PDF rendering control to software developers to embed in their app, suddenly found out how insecure they were.

Aka, is your car secure, right now? Yes? Alright, let's transport these dangerous criminals in it. What do you mean, it's not secure from that direction?

And this isn't helped by the fact that ActiveX controls are so easy to install. I'm not talking about malicious ones, those are easy also, but legitimate good ActiveX controls, which are signed by a legit company and everything.

And they work for two years, and web design moves on...and eventually a hole is discovered in them...and crackers download that version, put it up on their web site, and wait for people to click Yes to install this clearly legit control, signed by Macromedia or whatever, so they can buffer overflow it.

Oh, look. Have to issue a killbit for that also.

The large proliferation of ActiveX controls vs. the small proliferation of Netscapian plugins is why ActiveX is so vulnerable, but the first is entirely due to a rather stupid design decision at the start of IE that let web page designers use random ActiveX controls (Which everyone forgets were not invented for web browsers, but existed before as DLLs with well defined embedding mechanisms.) in a web browser