Microsoft Warns of New Video ActiveX Vulnerability

ucanlookitup writes "Microsoft has warned of a 'privately reported' vulnerability affecting IE users on XP or Windows Server 2003. The vulnerability allows remote users to execute arbitrary code with the same privileges as the users. The vulnerability is triggered when users visit a web site with malicious code. 'Security experts say criminals have been attacking the vulnerability for nearly a week. Thousands of sites have been hacked to serve up malicious software that exploits the vulnerability.' The advisory can be found at TechNet. Until Microsoft develops a patch, a workaround is available."

Re:Isolate!

[lorenlal]

You have to take a look at your market to distribute your virus too. Sure, Opera might have more market share in Russia and the Ukraine, but it's still tiny [wikipedia.org] overall.

By attacking IE only, you get 65%, include Firefox, and you're staring at 87% of the browsers in total use. You could target certain countries if you wanted to, but for most malware writers it's pure numbers, and it doesn't matter where they come from. I don't know if Opera is designed/written any better... but I can reasonably assume that it's not being targeted as intensely as IE/FF. I'm not taking my hat off to them until they lock down enough worldwide market share to become worthy of being targeted.

I totally agree that the browser shouldn't be so integrated with the operating system. As a rule, we all know that you don't put yourself out on the public internet... Why have a utility that's part of the OS reach out and grab stuff from there? But don't get me started on virtualization. If we want all the flash and trash we ask for, then virtualization isn't going to deliver it yet... unless you're planning on including all the funny gadgets in a virtual OS. We don't do it already because the products (that I've evaluated) don't do this sort of thing well at all yet.

Re:Isolate!

[Opportunist]

Isolation only helps so much. Given that a lot of interesting malware targets (online banking, paypal, amazon, ebay...) are used exactly with the same browsers that would execute the malware, containing it to the browser doesn't really help a lot. You'd have to disallow the browser to make changes to itself. And, while sensible, this would not be very popular with a lot of people who want to "click and install".

Re:couldn't microsoft

[VGPowerlord]

couldn't microsoft just warn us when they have found no exploits at all?

In theory, they already do this on the second Tuesday of every month.

However... has there ever been a Microsoft patch Tuesday that hasn't had any patches? I'm going to tentatively say "No"...

Re:Isolate!

[lorenlal]

However, why is this such a problem? Its not so hard to create some level of virtualization for so specific target as a simple webbrowser...

Have you spent a lot of time managing virtual applications? If so, you already know that managing the virtualized application is not trivial. Especially if you have plugins. Adding a plugin (currently) requires reworking the virtual application's package. This has been due to change for years, but I haven't witnessed this in practice yet.

Even when you run stuff like Flash and so on it. Instead of installed all over the OS, Flash and other plugins could be installed on that virtualized and separated space that would be cleaned and restored to original "last good known state" when browser quits. Then there would be another isolated space to save all the temp data, cookies and such which would be even more restricted and hence could be sustained thru different browser sessions too.

Of course, as it stands right now, we have a few browsers that support private browsing. That does prevent much of the data picked up from getting saved. I don't know what it's impact is with malware, but I'd guess it doesn't hurt. Also, what you're suggesting would require a major effort on the part of browser makers. I don't think that the vast majority of users could go and add plugins manually to their virtual browser. I'm not saying that it's impossible thought.

I agree with your original post that it's not necessary to have a "tightly integrated" browser. If it weren't for this integration, you could reduce the need to virtualize in the first place.

Re:Hmm...

[magamiako1]

No. There would have to be some sort of vulnerability existing in the system to launch code, to then launch IE, to then exploit IE.......yeah....you can see the logic in that.

No, if IE is not running or being used, the exploit would not affect the system.

That said, this vulnerability does not affect Vista or Windows 7, or IE7/8 on those systems.

Really--people should upgrade. And furthermore, people should not disable UAC.

Re:Isolate! HA!

[plague3106]

Another reason to not use ActiveX and NOT use an OS that allows executables to do anything with the kernel via an untrusted WEB PAGE.

Um, what? This has nothing to do with the kernel.

This is another reason NOT to use Vista.

How so? Vista is secure from this, its XP thats vunerable.

Where are my mod points?
It seems they got lost about a month or so ago and never came back.

With posts like this, I can see why.

Sometimes I wonder...

[DarKnyht]

It makes me wonder why any financial institution would still design their websites to require Internet Explorer and/or Active X. Seems sort of like putting up guide rails at a bowling alley and then expecting everyone to bowl gutter balls.