Computerworld - A critical ActiveX vulnerability used by hackers to exploit Microsoft Corp.'s Internet Explorer browser is a prime candidate for another Conficker-scale attack, security experts said.
On July 6, just hours after security companies reported that thousands of compromised sites were serving up exploits, Microsoft acknowledged the flaw in the ActiveX control that can be accessed using IE. The bug has been used by hackers since at least June 9.
Microsoft said it will issue a patch for the flaw on July 14.
The vulnerability "exposes the whole world and can be exploited through the firewall," said Roger Thompson, chief research officer at security software vendor AVG Technologies USA Inc. "That's better than Conficker, which mostly did its damage once it got inside a network."
Conficker exploited a Windows flaw that Microsoft had thought dire enough to fix outside its usual update schedule in October 2008. The worm exploded into prominence in January, when a variant infected millions of machines that remained unpatched.
Microsoft confirmed the latest flaw shortly after security researchers at Danish firms CSIS Security Group AS and Secunia said that thousands of hacks of legitimate Web sites over the July 4 weekend had exploited the bug.
The hackers took advantage of the bug to reroute users to a malicious site, which in turn downloads and launches a multiexploit hacker tool kit.
Two days after disclosing the bug, Microsoft admitted that members of IBM's X-Force threat research team had first reported the vulnerability to it sometime in 2008.
The X-Force researchers had uncovered the flaw in late 2007, and in December of that year reserved a number in the Common Vulnerabilities and Exposures list of publicly known information security vulnerabilities.
One of the researchers, Alex Wheeler, now manager of 3Com Corp.'s TippingPoint DVLabs, declined to say exactly when the flaw was discovered, citing a nondisclosure agreement he had signed with his former employer.
A Microsoft spokesman didn't say why the flaw wasn't patched earlier.
"When we were alerted in 2008, we immediately started an investigation," the spokesman said in an e-mail to Computerworld. "As we wanted to be thorough, this took extra time to fully evaluate."
This version of the story originally appeared in Computerworld's print edition.
Read more about Security in Computerworld's Security Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Cybersecurity Imperatives Reinvent Your Network Security With Palo Alto Networks The Rise of CyberSecurity
- 10 Things Your Next Firewall Must do Next-Generation Firewalls Defined
- Firewall Buyers Guide Operate as the core of your network security infrastructure
- Getting Started With a Zero Trust Approach to Network Security The Traditional Approach to Network Security is Failing. View Now>>
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts