News

Microsoft Office ActiveX Security Flaws Disclosed

On the eve of its July security patch release, Redmond issued a security advisory on flaws in the ActiveX control function -- the second such advisory in as many weeks.

Redmond's latest off-cycle advisory addresses "a new vulnerability in Microsoft Office Web Components," specifically in the "spreadsheet ActiveX Control" that could give a hacker elevated user rights through a remote code execution attack.

The kicker is that a hacker can exploit the bug via Internet Explorer if ActiveX, which is a Windows framework designed for indentifying and parsing software components, is enabled.

The software giant said on Monday that it was aware of "limited, active attacks attempting to exploit this vulnerability."

Security analysts have tended to point to ActiveX as a potential problem. Apparently, it's now a top priority for Redmond.

"Part of the problem is that one of the two known [ActiveX] bugs was reportedly known by Microsoft for nearly a year," wrote Andrew Storms, director of security at nCircle, in an e-mailed comment. "This information is leaving many people with an unsettled feeling, and wondering just how many other critical bugs are sitting in the Windows OS just waiting to be exploited."

Mike Reavey, director of the Microsoft Security Response Center, confirmed last Thursday that Microsoft has known about ActiveX-related bugs used in IE-related attacks for more than a year, as early as spring of 2008 in fact.

Aside from video files and spreadsheet controls, other recent ActiveX bugs include one outlined in a security advisory rolled out exactly a year ago. In that case, Redmond said that a bug enabled hackers to exploit a hole in ActiveX controls for certain components of Microsoft Access.

Meanwhile, in its advisory on Monday, Microsoft said its investigation "has shown that although Internet Explorer (IE) isn't vulnerable, remote code execution is possible and may not require any user intervention when using IE."

Reavey did intimate that a fix for ActiveX would be likely on Tuesday, but he didn't specify which Windows version the fix would affect. There is already an ActiveX fix slated for a previously identified bug in DirectShow that Microsoft has on tap for Tuesday's rollout.

"If you haven't implemented the killbits already, we recommend that you go ahead and do that to protect yourself against the attacks," Reavey wrote last Thursday after the advance patch release notification.

For now, Redmond is also pointing users to a knowledgebase article link that comes with the latest advisory and outlines ways to work around the flaws. For instance, IT pros can make changes that prevent "Active Scripting and ActiveX controls from being used when reading HTML e-mail messages."

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

Featured

  • Microsoft Appoints Althoff as New CEO for Commercial Business

    Microsoft CEO and chairman Satya Nadella on Wednesday announced the promotion of Judson Althoff to CEO of the company's commercial business, presenting the move as a response to the dramatic industrywide shifts caused by AI.

  • Broadcom Revamps VMware Partner Program Again

    Broadcom recently announced a significant update regarding its VMware Cloud Service Provider (VCSP) program, coinciding with the release of VMware Cloud Foundation (VCF) 9.0, a key component in Broadcom’s private cloud strategy.

  • Closeup of the new Copilot keyboard key

    Microsoft Updates Copilot To Add Context-Sensitive Agents to Teams, SharePoint

    Microsoft has rolled out a new public preview for collaborative "always on" agents in Microsoft 365 Copilot, bringing enhanced, context-aware tools into Teams channels, meetings, SharePoint sites, Planner workstreams and Viva Engage communities.

  • Windows 365 Cloud Apps Now Available for Public Preview

    Microsoft announced this week that Windows 365 Cloud Apps are now available for public preview. This aims to allow IT administrators to stream individual Windows applications from the cloud, removing the need to assign Cloud PCs to every user.