Microsoft Warns Users Of Serious ActiveX Flaw6:26 PM EST Mon. Jul. 06, 2009
Microsoft issued a security advisory Monday warning users of attacks exploiting a critical vulnerability in Microsoft Video ActiveX Control, which paves the way for a remote attacker to launch malicious code on users' computers via Internet Explorer.
However, the good news might be that the buggy ActiveX Control doesn't affect any major functionality in IE, which allows the control to be disabled in the Web browser without any significant impact to the user.
"Our investigation has shown that there are no by-design uses for this ActiveX Control in Internet Explorer which includes all of the Class Identifiers within the msvidctl.dll that hosts this ActiveX Control," Microsoft said in its advisory.
At worst, the ActiveX Control bug, which affects several versions of Windows, including Windows XP and Windows Server 2003, allows attackers to infiltrate a user's system to download malicious code, typically information-stealing Trojans and keyloggers. Attackers often distribute the malware via compromised legitimate Web sites or by enticing a user to click on a link directing them to a malicious Web site on IE, usually through some kind of social engineering scheme.
So far the attacks don't appear to affect Windows Vista or Windows Server 2008, due to the fact that both systems restrict data flowing to ActiveX within IE, Microsoft said.
Marc Fossi, manager of research development for Symantec Security Response, said that attacks exploiting the ActiveX flaw were found on some Chinese Web sites as well as a Russian Embassy site in Washington, D.C, but added that the security community didn't yet know the extent of the attacks globally.
Fossi said there was little to distinguish this ActiveX flaw from others exploiting Web browser vulnerabilities.
"We see exploits that serve vulnerabilities that are exploited through IE and plug-ins all the time and this isn't really any different than the rest," Fossi said. "People shouldn't be going into panic mode."
Microsoft said in its advisory that it was working on a fix for the bug, which will either be released in its monthly Patch Tuesday security bulletin or separately as an emergency out-of-band update.
Until that happens, there are some workarounds. Microsoft recommended in its advisory that users disable support for ActiveX Control in IE for Windows XP and Windows Server 2003. Microsoft also recommends that users disable ActiveX Control in Vista and Server 2008 as a "defense in depth" measure, despite the fact that they are unaffected by the flaw.
In addition to disabling the ActiveX Control in IE, Fossi recommended that users also make it a practice to log into their computers with minimal privileges. Users who log in as an administrator run the risk of exposing the rest of the network to any kind of code executed on the system, he said.
"Use a lower privileged account to do your day-to-day stuff," Fossi said. ''If you're running as an administrator, potentially anything that executes on the computer as a result could affect all users."