Microsoft Warns Users of 'Zero Day' Security Issue

Microsoft's Christopher Rudd published a post over at MSRC that details the recently posted Microsoft Security Advisory 972890, which discusses new, limited attacks against a Microsoft Video ActiveX Control affecting Windows XP and Windows Server 2003 users.

"Specifically, we’re aware of a code execution vulnerability within this control that can enable an attacker to run code as the logged-on user if they browse to a malicious site," writes Rudd. "We have an investigation into this issue under way as part of our Software Security Incident Response Process (SSIRP) and are working to develop a security update to address the issue," he added.

It's unusual for Microsoft to highlight a vulnerability without already having a fix for it. The company yesterday announced that it was investigating a privately reported vulnerability in Microsoft Video ActiveX Control. According to the announcement, an attacker who managed to successfully exploit the vulnerability could gain the same user rights as the local user. That said, Microsoft does have an "in the meantime," band aid-type fix for the problem.

"In the meantime, our investigation has shown that there are no by-design uses for this ActiveX Control within Internet Explorer. Therefore, we’re recommending that all customers go ahead and implement the workaround outlined in the Security Advisory: setting all killbits associated with this particular control. While Windows Vista and Windows Server 2008 customers are not affected by this vulnerability, we are recommending that they also set these killbits as a defense-in-depth measure. Once that killbit is set, any attempt by malicious websites to exploit the vulnerability would not succeed."

Check out Microsoft's security advisory for more information.

Create a new thread in the US News comments forum about this subject
This thread is closed for comments
17 comments
    Your comment
    Top Comments
  • offkey_toms
    A popular misconception concerning the firefox add-on (based on NPAPI technology) is that a add-on is somehow inherently safer than an ActiveX control. Both run native machine instructions with the same privileges as the host process. Thus a malicious plugin can do as much damage as a malicious ActiveX control.

    People, wake up...
    13
  • Shadow703793
    offkey_tomsA popular misconception concerning the firefox add-on (based on NPAPI technology) is that a add-on is somehow inherently safer than an ActiveX control. Both run native machine instructions with the same privileges as the host process. Thus a malicious plugin can do as much damage as a malicious ActiveX control.People, wake up...

    True, but the other parts of the IE structure allows for the easier installation of ActiveX plug-ins without the users knowledge. And has a greater ability to do damage to a system.

    Also NPAPI runs just on the browser itself while ActiveX can run as part of other programs, esp. VB, thus making ActiveX a bigger security hole than NPAPI ad-ons which is restricted mainly to the browser.
    13
  • Other Comments
  • crom
    Yet another example of the many reasons to never use Internet Explorer.
    7
  • Shadow703793
    Ummm... OK. I live off of FireFox lol. Anyways, wish they would get rid of ActiveX permanently. They SHOULD do that in Windows 8, esp. since IE is going downhill and ActiveX is part of that problem.
    8
  • offkey_toms
    A popular misconception concerning the firefox add-on (based on NPAPI technology) is that a add-on is somehow inherently safer than an ActiveX control. Both run native machine instructions with the same privileges as the host process. Thus a malicious plugin can do as much damage as a malicious ActiveX control.

    People, wake up...
    13