Microsoft's Urgent Patch Precedes Black Hat Session

Julie188 writes "Mystery solved! Microsoft's latest emergency out-of-band patch was weird beyond belief. A notice was sent to journalists and researchers late Friday evening that the patch was coming Tuesday, but Microsoft refused to explain the flaw and even put a cone of silence around researchers who would have otherwise talked about it. But finally, one researcher broke ranks and explained that the patch was caused by a flaw introduced in Microsoft's own development tools. This flaw was also the source of the emergency ActiveX patch, which took about 18 months to complete and which supposedly fixed the problem by turning off ActiveX (setting a 'killbit' on the control). Researchers at Black Hat on Wednesday will be demonstrating how to override the killbit controls and get access to vulnerabilities supposedly stopped with a killbit. What's really scary is that Microsoft has issued 175 killbits fixes so far."

Imagine.

[rolfc]

There are still people that think ActiveX is a gift to humanity.

Re:Imagine.

[bstreiff]

So you're contrasting OS upgrade fees for OS X... versus not upgrading Windows.

Guess what? There are upgrade fees to go from XP to Vista to 7, too.

Re:Imagine.

[TheRaven64]

Namely - A $100 fee every year to upgrade from 10.4, to 10.5, to 10.6, and so on

I don't like to contradict your wonderful hyperbole with mere facts, but the upgrade from 10.5 to 10.6 is going to cost $29, and comes two years after the release of 10.5, making the cost $14.50 per year, not $100. The upgrade from 10.4 to 10.5 cost $129 I believe (although it was $20 if you had bought 10.4 after 10.5 was announced) and was release 2.5 years after 10.4, making the cost per year $51.6. If you bought both of these upgrades, you will have spent $35.11 per year on upgrades.

sensationalist much?

[timmarhy]

yes activex sucks, anyone who doesn't know this already has rocks in their head, but calling a patch "weird beyond belief"? MS gets wind of security hole that might be really bad, patches it urgently.

damned if they do damned if they dont?

Cone of Silence?

[eldavojohn]

Microsoft refused to explain the flaw and even put a cone of silence around researchers

Those suck. My dog had to wear one of them for a week. Didn't shut him up but it sure stopped him from licking what used to be his balls.

Re:It's the commonality.

[neonsignal]

There is truth in your argument that third party additions to a browser pose a security problem, but you are comparing coffee and fish.

Plugins pose a security risk because you are running software from unknown sources as part of your browser. However, you don't need to install the plugins in order to enjoy the browser functionality.

Active X on the other hand was always intended to be integrate with web pages, which means that in many cases you would not even have been able to view the content without downloading a COM object of dubious origin. Fortunately this has largely failed, and most web content is still accessible without it (though there are a number of commercial services on the other hand that require Active X to work).

The better comparison with Active X is other dynamic web code, such as scripting languages like javascript, and of course Java, which have been used for similar purposes. There are clear differences, because Active X is running native code, and so is notoriously difficult to sandbox effectively. It is obviously a matter of degree; no system is fully secure. But whereas exploits of Active X tend to often be total (access to the host machine), exploits of systems such as javascript often revolve around more subtle issues such as masquerading.

I actually think there is merit in having internet distributable native code. But having said that, there are multiple issues. I don't think the solution is merely to improve the containment of the downloaded code (indeed, that only makes it harder for the plugin to do anything useful). The problem is one of trust: how do I know if the binary code is trustworthy (Microsoft rubberstamp certification just doesn't do it for me!); and why do most sites need Active X at all (shouldn't we just be trying to agree on some browser standards like video formats so that typical functionality can be built into the browser!).

Re:It's the commonality.

[DavidTC]

Strictly speaking, the GP is right. The reason that ActiveX is more vulnerable than Firefox is there are a lot more ActiveX controls than Firefox plugins. (Not to be confused with Firefox Addons, which seem to be fairly secure, and are pieces of javascript. Firefox plugins are things like the PDF viewer that Acrobat installs, etc.)

However, the reason there are a lot more ActiveX controls is a, tada, bad design. It's because ActiveX fundamentally lets you embed all sorts of stuff that came with the operating system and random applications and were not designed to be controlled by a web page. Stuff around from before web browsers!

So Microsoft has to kill each of these, one at a time. That's what the '175 killbits' is talking about....something like 125 of those were on things that it should not have been possible to load in a web browser anyway, but Microsoft decided it would be great fun if you could load all those fancy new signed-DLLs-under-another-name in a web browser. And companies that had been putting out ActiveX controls and had never had to worry about security before, because they were selling a PDF rendering control to software developers to embed in their app, suddenly found out how insecure they were.

Aka, is your car secure, right now? Yes? Alright, let's transport these dangerous criminals in it. What do you mean, it's not secure from that direction?

And this isn't helped by the fact that ActiveX controls are so easy to install. I'm not talking about malicious ones, those are easy also, but legitimate good ActiveX controls, which are signed by a legit company and everything.

And they work for two years, and web design moves on...and eventually a hole is discovered in them...and crackers download that version, put it up on their web site, and wait for people to click Yes to install this clearly legit control, signed by Macromedia or whatever, so they can buffer overflow it.

Oh, look. Have to issue a killbit for that also.

The large proliferation of ActiveX controls vs. the small proliferation of Netscapian plugins is why ActiveX is so vulnerable, but the first is entirely due to a rather stupid design decision at the start of IE that let web page designers use random ActiveX controls (Which everyone forgets were not invented for web browsers, but existed before as DLLs with well defined embedding mechanisms.) in a web browser