Microsoft is finally repairing a critical Microsoft Video ActiveX Control vulnerability that has allowed hackers to unleash malicious cyberattacks on users' PCs via Internet Explorer for more than a year.
The ActiveX vulnerability is one of three critical patches slated to be issued next week for Microsoft's "Patch Tuesday" security update release.
Security experts have maintained that, at worst, the buggy ActiveX Control directly affecting Windows XP and Server 2003, allows hackers to execute information-stealing Trojan attacks on users' computers by luring them to malicious Web sites while they're running IE. In recent weeks, experts have detected attacks exploiting the ActiveX flaw on hundreds of thousands of Chinese Web sites, accessed by IE, as well as the Russian Embassy Web site in Washington, D.C.
But for some reason, this ActiveX patch was a particularly long time in coming -- more than a year, in fact.
Mike Reavey, group manager for the Microsoft Security Response Center, explained in a company blog post that it was a matter of complications that led to an extraordinarily long investigation time.
Microsoft first received the original report in spring of 2008, Reavey said, and since discovered that the ActiveX flaws were far more complicated, and far-reaching, than previously thought. Plus, "there were no known uses" for the ActiveX Control in IE, and the control was disabled by default in Windows Vista anyway, right?
"In the case of this particular issue, part of our investigation showed other interfaces were vulnerable in this ActiveX Control, not only the one seen used in attacks," Reavey said.
As such, Reavey said, Microsoft simply encouraged its responsible users to disable the troublesome ActiveX Control and prevent it from loading in IE, due to the fact it could be done without any significant impact to the user.
"We were far enough along in our process that we felt comfortable taking this information from our investigation and giving it to customers so they could take immediate action to protect themselves while we finished our security update," he said. "To make it even easier for customers to protect themselves, we also implemented the 'fixit' that automatically implements the killbits."
Problem solved. Or was it?
Reavey went on to explain that the research team actually took longer to investigate because they asked users to remove the ActiveX functionality in IE. Why? Well, they didn't want to deploy a patch that could possibly break users' applications.
"When we disable or remove functionality, we have to engage in even more research and testing than usual," he said. "For something like this, we have to ensure not only our applications but also major third-party applications are not hurt by this. Otherwise, if our update 'breaks' a major application, customers won't deploy the update but the bad guys will have information about the vulnerability that they can use to attack it."
Reavey said that users who have already implemented the killbits wouldn't necessarily have to install the upcoming patch, although Microsoft is recommending that users apply the update anyway "to ensure that reporting accurately shows that the systems are fully protected."
Oh. Meanwhile, Microsoft's antidote in this case to the dilemma appeared to include waiting for more than a year, while encouraging users to step up and disable the flawed control themselves.
That is, until the bad guys actually did catch on and started launching zero-day attacks.
