News

Microsoft Office ActiveX Security Flaws Disclosed

On the eve of its July security patch release, Redmond issued a security advisory on flaws in the ActiveX control function -- the second such advisory in as many weeks.

Redmond's latest off-cycle advisory addresses "a new vulnerability in Microsoft Office Web Components," specifically in the "spreadsheet ActiveX Control" that could give a hacker elevated user rights through a remote code execution attack.

The kicker is that a hacker can exploit the bug via Internet Explorer if ActiveX, which is a Windows framework designed for indentifying and parsing software components, is enabled.

The software giant said on Monday that it was aware of "limited, active attacks attempting to exploit this vulnerability."

Security analysts have tended to point to ActiveX as a potential problem. Apparently, it's now a top priority for Redmond.

"Part of the problem is that one of the two known [ActiveX] bugs was reportedly known by Microsoft for nearly a year," wrote Andrew Storms, director of security at nCircle, in an e-mailed comment. "This information is leaving many people with an unsettled feeling, and wondering just how many other critical bugs are sitting in the Windows OS just waiting to be exploited."

Mike Reavey, director of the Microsoft Security Response Center, confirmed last Thursday that Microsoft has known about ActiveX-related bugs used in IE-related attacks for more than a year, as early as spring of 2008 in fact.

Aside from video files and spreadsheet controls, other recent ActiveX bugs include one outlined in a security advisory rolled out exactly a year ago. In that case, Redmond said that a bug enabled hackers to exploit a hole in ActiveX controls for certain components of Microsoft Access.

Meanwhile, in its advisory on Monday, Microsoft said its investigation "has shown that although Internet Explorer (IE) isn't vulnerable, remote code execution is possible and may not require any user intervention when using IE."

Reavey did intimate that a fix for ActiveX would be likely on Tuesday, but he didn't specify which Windows version the fix would affect. There is already an ActiveX fix slated for a previously identified bug in DirectShow that Microsoft has on tap for Tuesday's rollout.

"If you haven't implemented the killbits already, we recommend that you go ahead and do that to protect yourself against the attacks," Reavey wrote last Thursday after the advance patch release notification.

For now, Redmond is also pointing users to a knowledgebase article link that comes with the latest advisory and outlines ways to work around the flaws. For instance, IT pros can make changes that prevent "Active Scripting and ActiveX controls from being used when reading HTML e-mail messages."

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

comments powered by Disqus

Featured

  • Microsoft's Lander on Blazor Desktop: 'I Don't See a Grand Unified App Model in the Future'

    For all of the talk of unifying the disparate ecosystem of Microsoft-centric developer tooling -- using one framework for apps of all types on all platforms -- Blazor Desktop is not the answer. There isn't one.

  • Firm Automates Legacy Web Forms-to-ASP.NET Core Conversions

    Migration technology uses the Angular web framework and Progress Kendo UI user interface elements to convert ASP.NET Web Forms client code to HTML and CSS, with application business logic converted automatically to ASP.NET Core.

  • New TypeScript 4.2 Tweaks Include Project Explainer

    Microsoft shipped TypeScript 4.2 -- the regular quarterly update to the open source programming language that improves JavaScript with static types -- with a host of tweaks including a way to explain why files are included in a project.

  • What's Top-Paying .NET Skill, In-Demand Language?

    New tech reports reveal the top-paying .NET skills and most in-demand programming languages in the Microsoft-centric developer landscape.

Upcoming Events