Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Security Internet Explorer Microsoft The Internet Technology

Microsoft Warns of New Video ActiveX Vulnerability 146

Posted by Soulskill from the like-one-of-those-pothole-signs dept.
ucanlookitup writes "Microsoft has warned of a 'privately reported' vulnerability affecting IE users on XP or Windows Server 2003. The vulnerability allows remote users to execute arbitrary code with the same privileges as the users. The vulnerability is triggered when users visit a web site with malicious code. 'Security experts say criminals have been attacking the vulnerability for nearly a week. Thousands of sites have been hacked to serve up malicious software that exploits the vulnerability.' The advisory can be found at TechNet. Until Microsoft develops a patch, a workaround is available."
This discussion has been archived. No new comments can be posted.

Microsoft Warns of New Video ActiveX Vulnerability More

Microsoft Warns of New Video ActiveX Vulnerability

Comments Filter:

  • Re:Fixes (Score:2, Informative)

    by dwieeb ( 1573153 ) on Tuesday July 07, 2009 @09:45AM (#28607177) Homepage
    Yeah, but only in Europe will IE not be bundled with Windows 7.

  • Not privately reported (Score:3, Informative)

    by Anonymous Coward on Tuesday July 07, 2009 @09:56AM (#28607359)

    Securityfocus [securityfocus.com] has more details, including the secret identity of the 'private reporter'

  • Re:Isolate! (Score:3, Informative)

    by abigsmurf ( 919188 ) on Tuesday July 07, 2009 @10:01AM (#28607439)
    I'm getting as many virus alerts through Firefox now as I used to get through IE before I switched, most of them seem to be flash and pdf exploits but I've had a few occur that don't appear to be either. Yes you could potentially make Firefox safer with noscript etc. but frankly that makes for an incredibly sucky web experience (and you could turn of scripting, flash and activeX in IE too with similar results). The rise in Firefox targeted (or partially targeted) exploits, in my personal experience, has risen almost in direct proportion to the browser's popularity.

  • Re:better workaround (Score:3, Informative)

    by L4t3r4lu5 ( 1216702 ) on Tuesday July 07, 2009 @10:18AM (#28607703)
    Supplemental: http://noscript.net/ [noscript.net] and http://www.sandboxie.com/ [sandboxie.com]

  • Re:Fixes (Score:3, Informative)

    by mcgrew ( 92797 ) on Tuesday July 07, 2009 @10:47AM (#28608157) Homepage Journal

    here [microsoft.com] is the fix and no, it isn't "downgrading to Vista." It disables the vulnerable parts of the OS/IE.

  • There is a difference - attack surface (Score:5, Informative)

    by WD ( 96061 ) on Tuesday July 07, 2009 @11:04AM (#28608425)

    It is true that an ActiveX and NSAPI plug-ins are both native code and can have the same risks. But the big difference is attack surface. Code needs to very explicitly be written as a NSAPI plug-in. However, most Windows components are by default a COM object, and perhaps controlable by Internet Explorer if the developer so chooses (traditionally referred to as an ActiveX control).

    So a typical Firefox installation may have a half dozen or so plugins available, and they may have vulnerabilities. But a typical IE installation has literally thousands of COM objects at its disposal (A bare Windows XP installation has over 2500 COM objects). And those objects may have vulnerabilities as well.

    So play the numbers. IE's close integration with the OS means that it has a larger attack surface. While isolation and privilege separation is a good idea, the actual reason that Vista and 2008 are unaffected are *not* because of low-rights IE. IE on those platforms treats the ActiveX interaction required by the exploit as "unsafe" and is blocked. (Rather than allowing the exploit to occur but "neutering" it by giving it low rights).

  • Re:Hi, I'm a mac (Score:2, Informative)

    by Em Emalb ( 452530 ) <ememalb AT gmail DOT com> on Tuesday July 07, 2009 @11:56AM (#28609225) Homepage Journal

    It can. Made the change to our GPOs, and it's rolling out now. Having an issue with terminal server users, the installer is trying to install for every user that accesses the box (as intended, I guess) but none of our users have admin rights so it's bombing out....that's a simple fix though, just exclude any terminal server you might have and patch it manually.

    So, to answer my own question, yeah, it's easy to script it.

  • Re:There is a difference - attack surface (Score:3, Informative)

    by TheRealMindChild ( 743925 ) on Tuesday July 07, 2009 @12:03PM (#28609331) Homepage Journal
    An "ActiveX control" is a COM object with a certain group of interfaces... all COM objects are not ActiveX controls.

    The vulnerability here comes from, NOT necessarily the oodles of known COM libraries on every Windows system. It isn't REALLY about the fact that you can CreateObject("COMObject.OfMyChoice") on these already known objects... it's all that wrapped together with a COM object that has a .ExecuteMyCode() type method.

  • Informative? More like "+1, Sounds Kinda Right." (Score:2, Informative)

    by Anonymous Coward on Tuesday July 07, 2009 @12:15PM (#28609555)

    Wrong on two counts:

    1. Every ActiveX object is a COM object, but not every COM object is an ActiveX object. This is not a pedantic distinction.

    2. IE is no more integrated with the OS than Webkit is in KDE: the rendering libraries are considered part of the OS, and the plugin mechanism previously discussed operates there as well.

    Please know more about the technology before making unfounded assertions.

  • Re:Oh well. (Score:3, Informative)

    by that IT girl ( 864406 ) on Tuesday July 07, 2009 @12:45PM (#28609957) Journal
    Ugh, this is the case for--get this--our HR and payroll website.
    iemployee.com
    IE only.
    Yes, I AM afraid.

Slashdot Top Deals

He has not acquired a fortune; the fortune has acquired him. -- Bion

Close