Tuesday, July 07, 2009

Serious ActiveX vulnerability in Microsoft IE reported; no patch yet


Terrence O’Brien at Switched.com has a story today about a serious vulnerability in Active X controls of Internet Explorer that would allow hackers to control the PC’s of people who had visited certain infected websites, usually supplied with links in spam. The link for O'Brien's story is here. The problem seems to affect Windows XP users but not Vista; this may be a reason to upgrade; are “newer” operating systems always safer? They usually are. Internet Explorer 8 may have less vulnerability than earlier versions, according to Symantec.

Media reports did not immediately identify which versions of IE are affected (7 or 8), or whether all are affected.

Microsoft is planning an emergency patch soon, but in the mean time it has actually been encouraging visitors to disable ActiveX, generally necessary for watching video on some sites (such as Netflx, which, it would seem, could see a drop in visits to instant play because of this problem). The disabling procedure seems to require a bit of knowledge of the operating system, particularly knowledge of the registry.

Surfers may prefer to use Firefox or Google Chrome for browsing until a fix is found. It isn’t absolutely known yet if McAfee, Norton or Spysweeper could intercept the problem. However McAfee has an information page “Microsoft DirectShow MPEG2TuneRequest Stack Overflow Vulnerability” here. McAfee also says that coverage is provided in DAT 5668, as of July 6, 2009. (As of July 7, DAT 5669 was available.) McAfee users might want to consider running manual scans after such updates. It wasn’t clear from the documentation if the McAfee Firewall would prevent the remote exploit.

Microsoft has a security bulletin advisory (972890) here.

A group called Sans.org has a technical description of the ("drive-by") vulnerability (in msvidctl.dll) here. I don't know how many visitors know how to read this kind of code!

The problem has been known since about beginning of July.

No comments: