News

Microsoft Office ActiveX Security Flaws Disclosed

On the eve of its July security patch release, Redmond issued a security advisory on flaws in the ActiveX control function -- the second such advisory in as many weeks.

Redmond's latest off-cycle advisory addresses "a new vulnerability in Microsoft Office Web Components," specifically in the "spreadsheet ActiveX Control" that could give a hacker elevated user rights through a remote code execution attack.

The kicker is that a hacker can exploit the bug via Internet Explorer if ActiveX, which is a Windows framework designed for indentifying and parsing software components, is enabled.

The software giant said on Monday that it was aware of "limited, active attacks attempting to exploit this vulnerability."

Security analysts have tended to point to ActiveX as a potential problem. Apparently, it's now a top priority for Redmond.

"Part of the problem is that one of the two known [ActiveX] bugs was reportedly known by Microsoft for nearly a year," wrote Andrew Storms, director of security at nCircle, in an e-mailed comment. "This information is leaving many people with an unsettled feeling, and wondering just how many other critical bugs are sitting in the Windows OS just waiting to be exploited."

Mike Reavey, director of the Microsoft Security Response Center, confirmed last Thursday that Microsoft has known about ActiveX-related bugs used in IE-related attacks for more than a year, as early as spring of 2008 in fact.

Aside from video files and spreadsheet controls, other recent ActiveX bugs include one outlined in a security advisory rolled out exactly a year ago. In that case, Redmond said that a bug enabled hackers to exploit a hole in ActiveX controls for certain components of Microsoft Access.

Meanwhile, in its advisory on Monday, Microsoft said its investigation "has shown that although Internet Explorer (IE) isn't vulnerable, remote code execution is possible and may not require any user intervention when using IE."

Reavey did intimate that a fix for ActiveX would be likely on Tuesday, but he didn't specify which Windows version the fix would affect. There is already an ActiveX fix slated for a previously identified bug in DirectShow that Microsoft has on tap for Tuesday's rollout.

"If you haven't implemented the killbits already, we recommend that you go ahead and do that to protect yourself against the attacks," Reavey wrote last Thursday after the advance patch release notification.

For now, Redmond is also pointing users to a knowledgebase article link that comes with the latest advisory and outlines ways to work around the flaws. For instance, IT pros can make changes that prevent "Active Scripting and ActiveX controls from being used when reading HTML e-mail messages."

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

Featured

  • 2020 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss.

  • Microsoft Shares Coming Windows Server 20H1 Improvements

    Microsoft recently detailed a few improvements coming to the next release of Windows Server, including faster PowerShell performance and a smaller container size.

  • The 2019 Microsoft Product Roadmap

    From the next major update to Windows 10 to the next generation of HoloLens, here's what's on tap from Microsoft this year.

  • Microsoft Bringing Teams to Linux in Preview

    A limited preview of the Microsoft Teams app is now available for select Linux desktop operating systems, making it "the first Microsoft 365 app" to run on Linux.

RCP Update

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.