Microsoft Probing ActiveX Bug in Internet Explorer

Microsoft continues to investigate a new vulnerability revealed at the top of the week regarding an ActiveX control component in Internet Explorer. The software giant issued a security advisory on Monday to that effect.

At the heart of the bug is a flaw in Internet Explorer's video ActiveX control that could allow a hacker to gain control of a workstation if a malicious media file on a vulnerable or untrustworthy Web site is accessed by a user.

In its security advisory, Microsoft indentified "limited attacks" exploiting the weakness in IE programs sitting on Windows XP and Windows Server 2003.

"Looks like ActiveX strikes again," said Andrew Storms, director of security at nCircle. "While the tidal wave of ActiveX issues seemed to have slowed in recent years, veterans of Microsoft security will recall the endless headaches caused by ActiveX vulnerabilities in the not too distant past."

Recent ActiveX bugs include one outlined in a security advisory rolled out exactly a year ago. In that case, Redmond said that a bug enabled hackers to exploit a hole in ActiveX controls for certain components of Microsoft Access.

"This time, Microsoft claims that there are no by-design uses for this ActiveX Control," Storms said. "This leaves security professionals wondering why Microsoft chose to leave the ActiveX control available anyway."

To Microsoft's credit, the difference between last year and this year is its attention to detail. The software giant said Windows Vista and Windows Server 2008 users aren't touched by the vulnerability but that as a precautionary measure, IT pros working with all operating systems should  "implement [the advisory workarounds] as a defense-in-depth measure."

Indeed, Redmond offered many workarounds to this IE ActiveX bug. A couple of them involve merely adjusting IE settings. For instance, administrators can choose to run IE in a restricted mode allowing enterprise-level enhanced security configuration methodology to separate client-side or local workstation Web surfing from server side Internet access. Redmond said this is "a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone."

Another workaround involves preventing the Microsoft video ActiveX control from running in Internet Explorer. In doing this, the advisory said that there would be no operational "impact to application compatibility."

To that end, nCircle's Storms and others, such as Shavlik Technologies Chief Technology Officer Eric Schultze, laud the thorough workaround approach Redmond has taken with what has been a persistent threat in ActiveX vulnerabilities.

"Corporations and some end users may be protected via their antivirus solutions," Schultze explained. "For all others, I recommend the Microsoft Fix-It tool on their Web site -- this is a very simple and easy way for users to protect themselves."

For his part, Storms said the key positive with this latest security advisory is the "excellent set of workarounds."

"Mitigation information like this demonstrates what the industry standard should be in security bulletin information," he said.

Microsoft's security bulletin explains that the company is "currently working to develop a security update for Windows to address this vulnerability" and will release it when ready for public distribution.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.