Sign in with
Sign up | Sign in

Microsoft Warns Users of 'Zero Day' Security Issue

By - Source: Tom's Hardware US | B 17 comments

Microsoft this week took to its Security Response Center blog to warn users about a vulnerability that the Redmond-based company has yet to patch.

Microsoft's Christopher Rudd published a post over at MSRC that details the recently posted Microsoft Security Advisory 972890, which discusses new, limited attacks against a Microsoft Video ActiveX Control affecting Windows XP and Windows Server 2003 users.

"Specifically, we’re aware of a code execution vulnerability within this control that can enable an attacker to run code as the logged-on user if they browse to a malicious site," writes Rudd. "We have an investigation into this issue under way as part of our Software Security Incident Response Process (SSIRP) and are working to develop a security update to address the issue," he added.

It's unusual for Microsoft to highlight a vulnerability without already having a fix for it. The company yesterday announced that it was investigating a privately reported vulnerability in Microsoft Video ActiveX Control. According to the announcement, an attacker who managed to successfully exploit the vulnerability could gain the same user rights as the local user. That said, Microsoft does have an "in the meantime," band aid-type fix for the problem.

"In the meantime, our investigation has shown that there are no by-design uses for this ActiveX Control within Internet Explorer. Therefore, we’re recommending that all customers go ahead and implement the workaround outlined in the Security Advisory: setting all killbits associated with this particular control. While Windows Vista and Windows Server 2008 customers are not affected by this vulnerability, we are recommending that they also set these killbits as a defense-in-depth measure. Once that killbit is set, any attempt by malicious websites to exploit the vulnerability would not succeed."

Check out Microsoft's security advisory for more information.

Discuss
Ask a Category Expert

Create a new thread in the News comments forum about this subject

Example: Notebook, Android, SSD hard drive

This thread is closed for comments
Top Comments
  • 13 Hide
    Shadow703793 , July 7, 2009 9:35 PM
    offkey_tomsA popular misconception concerning the firefox add-on (based on NPAPI technology) is that a add-on is somehow inherently safer than an ActiveX control. Both run native machine instructions with the same privileges as the host process. Thus a malicious plugin can do as much damage as a malicious ActiveX control.People, wake up...

    True, but the other parts of the IE structure allows for the easier installation of ActiveX plug-ins without the users knowledge. And has a greater ability to do damage to a system.

    Also NPAPI runs just on the browser itself while ActiveX can run as part of other programs, esp. VB, thus making ActiveX a bigger security hole than NPAPI ad-ons which is restricted mainly to the browser.
  • 13 Hide
    offkey_toms , July 7, 2009 9:11 PM
    A popular misconception concerning the firefox add-on (based on NPAPI technology) is that a add-on is somehow inherently safer than an ActiveX control. Both run native machine instructions with the same privileges as the host process. Thus a malicious plugin can do as much damage as a malicious ActiveX control.

    People, wake up...


Other Comments
  • 7 Hide
    crom , July 7, 2009 8:31 PM
    Yet another example of the many reasons to never use Internet Explorer.
  • Display all 17 comments.
  • 8 Hide
    Shadow703793 , July 7, 2009 8:34 PM
    Ummm... OK. I live off of FireFox lol. Anyways, wish they would get rid of ActiveX permanently. They SHOULD do that in Windows 8, esp. since IE is going downhill and ActiveX is part of that problem.
  • 13 Hide
    offkey_toms , July 7, 2009 9:11 PM
    A popular misconception concerning the firefox add-on (based on NPAPI technology) is that a add-on is somehow inherently safer than an ActiveX control. Both run native machine instructions with the same privileges as the host process. Thus a malicious plugin can do as much damage as a malicious ActiveX control.

    People, wake up...


  • 13 Hide
    Shadow703793 , July 7, 2009 9:35 PM
    offkey_tomsA popular misconception concerning the firefox add-on (based on NPAPI technology) is that a add-on is somehow inherently safer than an ActiveX control. Both run native machine instructions with the same privileges as the host process. Thus a malicious plugin can do as much damage as a malicious ActiveX control.People, wake up...

    True, but the other parts of the IE structure allows for the easier installation of ActiveX plug-ins without the users knowledge. And has a greater ability to do damage to a system.

    Also NPAPI runs just on the browser itself while ActiveX can run as part of other programs, esp. VB, thus making ActiveX a bigger security hole than NPAPI ad-ons which is restricted mainly to the browser.
  • 3 Hide
    tmike , July 7, 2009 9:51 PM
    The small trickle of updates to Windows are far easier to swallow than the daily stream of notices I receive about new defects and vulnerabilities in Debian.
  • 3 Hide
    jhansonxi , July 7, 2009 9:56 PM
    tmikeThe small trickle of updates to Windows are far easier to swallow than the daily stream of notices I receive about new defects and vulnerabilities in Debian.
    Most Linux distro package managers update every application installed, not just the OS and web browser. The distros are very paranoid and proactive (although probably not as much as OpenBSD).
  • 0 Hide
    SAL-e , July 7, 2009 10:17 PM
    Quote:
    "In the meantime, our investigation has shown that there are no by-design uses for this ActiveX Control within Internet Explorer. ...

    Why the hell if the ActiveX Control has no useful use, can be run remotely and can not be uninstalled?
  • 0 Hide
    Anonymous , July 7, 2009 10:32 PM
    SAL-e: It was probably a backdoor in the first place... Or else Microsoft is utterly incompetent, you choose...
  • -2 Hide
    dafin0 , July 7, 2009 11:48 PM
    cromYet another example of the many reasons to never use Internet Explorer.


    no yet another reason to update you software,no one should be using IE6/7 anymore so if anything happens to them then its there own fault
    (btw) the article doesn't seam to state this only effects IE6/7
  • -5 Hide
    Core2uu , July 8, 2009 12:12 AM
    More than your punishment for using IE, it's your punishment for continuing to use a decade old OS.

    Cmon people, let's move, the turn of the century was almost 10 years ago.
  • 0 Hide
    hemelskonijn , July 8, 2009 1:40 AM
    Fun part though would be that this security problem was already in the focus but a few weeks back when they first wrote about it they limited the warning to use in combination with quicktime.
    Back then loads of people replied that it was Apple who made buggy software and i already posted that the leak was possible to exploit in other ways and thus again making it a microsoft problem i got at least 6 thumbs down for that in under 4 hours.

    Now here it is again the same activeX leak but this time nothing about quicktime lets see who shall we blame this time ?
  • -2 Hide
    neiroatopelcc , July 8, 2009 6:23 AM
    all the anti IE stuff aside, does anyone actually implement any of those workarounds? I'm 'in charge' of some 400 systems + about 20 servers or so, and I've NEVER implemented a single of the workarounds.
  • 3 Hide
    Platypus , July 8, 2009 11:40 AM
    hemelskonijnBack then loads of people replied that it was Apple who made buggy software and i already posted that the leak was possible to exploit in other ways and thus again making it a microsoft problem i got at least 6 thumbs down for that in under 4 hours.

    It sounds like you take those 'thumb downs' rather personally.
  • -5 Hide
    hemelskonijn , July 8, 2009 12:36 PM
    Platypus:

    Not really though it shows how intelligent the average Tom's hardware reader is.
  • 3 Hide
    bunz_of_steel , July 8, 2009 12:48 PM
    I think terrorizors and aliens use IE to brainwash us into thinking M$ is the only choice.....yeh and the MAF-RIAA are really nice ppl.
  • 0 Hide
    fuser , July 8, 2009 4:55 PM
    You'd have to live in a cave to think that MS is the only option. My grandmother was talking about firefox the other day.
  • 0 Hide
    crom , July 8, 2009 5:35 PM
    dafin0no yet another reason to update you software,no one should be using IE6/7 anymore so if anything happens to them then its there own fault(btw) the article doesn't seam to state this only effects IE6/7


    This hits all versions of IE on XP, including 8. It may affect Vista as well, hence their warning. Forgetting the security issue at the moment, IE doesn't even comply to standards, so websites will look wrong in it. Its just a badly designed web browser that is as big as security hole as Quicktime is for a Mac.