Newsletters

Select newsletters below and click the button to sign up!

Boston News NY News
DC News Internet Daily
SiliconValley News
InternetNews Business Report




Become a Marketplace Partner


Partner With Us


Internetnews Bloggers

Recent Entries

Archives

July 2009
Sun Mon Tue Wed Thu Fri Sat
      1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31  

Monthly Archives

Search The Blog

Netstat -vat by Sean Michael Kerner (bio)

A command line view of IT



IE at risk from zero day ActiveX flaw - Vista safe?

By Sean Michael Kerner on July 6, 2009 1:29 PM
IE.jpg
From the 'IE users beware!' files

Microsoft has issued a new security advisory for a critical security issue that could potentially enable an attacker to take control of a users PC by way of Internet Explorer (IE).

The flaw stems from an issue in the Microsoft Video ActiveX Control. Microsoft has noted in its advisory that it is currently aware of attacks related to this flaw. Microsoft offers a work-around in its advisory to let users disable the ActiveX Control in question. According to the advisory Microsoft is currently working on a security update to fix the flaw as well. In my view this is likely to be an out of band update, though  seeing as patch Tuesday is tomorrow  we could get early too.

Microsoft advisory notes that the update will be released, "...when it has reached an appropriate level of quality for broad distribution."

Aside from the fact that IE is at risk from a flaw, the interesting part of this flaw in my opinion, is that the function which this attack is abusing has no real use in IE in the first place.
"Our investigation has shown that there are no by-design uses for this ActiveX Control in Internet Explorer which includes all of the Class Identifiers within the msvidctl.dll that hosts this ActiveX Control," Microsoft's advisory states.

So to recap, IE is at risk from a function which shouldn't be enabled in IE in the first place. I wonder how many other such ActiveX idiosyncrasies are in IE?

Hacking ActiveX is as old as, well ActiveX itself.  The really interesting this time around is the fact that Microsoft Vista users are not at risk. That's right, thanks to the way that Vista provides permissions to IE, this particular flaw doesn't pose a risk to Vista users - only XP users.

That's a big deal - it means that eventually though ActiveX flaw might well persist, as users migrate aware from XP to newer versions of Windows their risk profile from ActiveX flaws will diminish.

| Comments (0) | TrackBacks (0) | Share

Tags:

0 TrackBacks

Listed below are links to blogs that reference this entry: IE at risk from zero day ActiveX flaw - Vista safe?.

TrackBack URL for this entry: https://swarm.jupitermedia.com/mt-tb.cgi/8407

Leave a comment