funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Microsoft: Ask us and we'll kill your ActiveX control

From: "Richard M. Smith" <rms () computerbytesman com>
Date: Wed, 9 Apr 2008 16:50:17 -0400
A lot of vendors should be speaking up here. ;-)  Secunia lists 335 security
advisories that contain the word "ActiveX" in them:

 

   http://secunia.com/search/?search=activex

 

Richard

 

http://www.computerworld.com/action/article.do?command=viewArticleBasic
<http://www.computerworld.com/action/article.do?command=viewArticleBasic&art
icleId=9075918> &articleId=9075918


Microsoft: Ask us and we'll kill your ActiveX control


Gregg Keizer

April 08, 2008 (Computerworld) Microsoft Corp. on Tuesday said it would lock
down other vendors' software using Windows Update-delivered fixes if those
companies ask Microsoft to help stymy attacks. 

The company explained its efforts after being asked about a security update
that disabled a vulnerable ActiveX control used by Yahoo Inc.'s music player
program. 

 

"If an independent software vendor discovers that they have shipped a
vulnerable [ActiveX] control, they should e-mail secure () microsoft com to
work with Microsoft to issue a kill bit, disabling that control," Tim Rains,
a spokesman for the Microsoft Security Response Center (MSRC), said in an
e-mail. 

 

Earlier in the day, Microsoft
<http://www.computerworld.com/action/article.do?command=viewArticleBasic&art
icleId=9075778>  released eight security updates, including one that set the
"kill bit" for the Yahoo Music Jukebox -- software that until a February
revision was released had shipped with two buggy ActiveX controls. 

 

Setting the kill bit for an ActiveX control involves modifying the Windows
registry and disables the ActiveX control. It does not patch the problem,
and setting the kill bit means the control's functionality is lost. 

 

The policy is not new, said Rains, although the manner in which Microsoft
served up the latest kill bit is. "Microsoft issued a security update
specifically including kill bits for these ActiveX controls because it
provides advantages to customers rather than wrapping them into Internet
Explorer cumulative updates, which has been the usual method for
distributing ActiveX kill bits," he said. 

 

"This is the first time the MSRC has grouped ActiveX kill bits into a
separate security update," Rains confirmed. "Customers can precisely target
vulnerabilities that are related to ActiveX controls without having to
install an Internet Explorer update." 

 

He also said that the MSRC turned off the Yahoo ActiveX control because
Yahoo asked Microsoft to do it. "...Yahoo came to the company directly with
a request that a kill bit be issued for Yahoo's Music Jukebox," said Rains. 

 

In February, just days after a researcher
<http://www.computerworld.com/action/article.do?command=viewArticleBasic&tax
onomyId=89&articleId=9060938>  rooted out flaws in a pair of ActiveX
controls used by Music Jukebox, Yahoo patched the player. It required users
to download and install the newest version before accessing the portal's
music service. 

 

Yahoo did not reply to questions about why it asked Microsoft to issue the
kill bit instructions as part of a Windows Update patch when it had already
fixed Music Jukebox. 

 

As Rains noted, Microsoft has disabled ActiveX controls used by other
companies' software in the past as part of broader updates for IE,
Microsoft's browser. In December 2005, for example, it set the kill bit of
an ActiveX control developed by a company called First4Internet Ltd. and
distributed by Sony BMG Music Entertainment as part of its since-abandoned
copy-protection technology. 

 

"This kill bit is being set with the permission of the owner of the ActiveX
control," Microsoft said in its MS05-054
<http://www.microsoft.com/technet/security/Bulletin/MS05-054.mspx>  security
advisory, a cumulative update to IE 5.0. 5.5 and 6.0 published Dec. 13,
2005. 

 

First4Internet, Sony BMG and the latter's copy-protection schemes made
headlines in November 2005 when a researcher revealed that the music
<http://www.computerworld.com/securitytopics/security/story/0,10801,106072,0
0.html>  label was installing a rootkit -- software designed to hide the
presence of other programs -- to mask the anti-piracy code it was putting on
customers' PCs.

 


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: