DirectX SDK bug means bad news for IE users
Exploit code published, US-CERT recommends setting 'kill bit'
August 13, 2007 12:00 PM ETComputerworld - The DirectX software development kit Microsoft issued in 2002 contains a critical vulnerability, a Polish researcher claimed as he released attack code that can hijack Windows PCs by tempting Internet Explorer users to malicious sites.
According to Krystian Kloskowski, who posted exploit code on the milw0rm.com site, the FlashPix ActiveX control included with DirectX Media 6.0 SDK contains a buffer overflow bug that can be exploited. More importantly, according to an advisory issued by US-CERT on Sunday, "because the FlashPix ActiveX control is marked 'Safe for Scripting,' Internet Explorer can be used as an attack vector for this vulnerability."
Internet Explorer 6 (IE 6) can be leveraged to exploit the flaw, noted Kloskowski, but he did not say if the newer IE 7 is also a workable attack vector. For its part, Microsoft acknowledged it is investigating Kloskowski's claim but it did not answer a query about whether IE 7 users are at risk. A company spokeswoman, however, said Microsoft would provide a patch if necessary and added: "We're currently unaware of any attacks trying to use the claimed vulnerability or of customer impact."
The likely attack scenario, said US-CERT, would be a malicious site that includes the exploit, and spam that tries to dupe users into clicking on a link to that site. Alternately, an HTML e-mail message -- with the exploit buried in the HTML -- could also be used. In that case, infection would occur as soon as the recipient viewed the message.
Danish bug tracker Secunia rated the vulnerability as "highly critical," its second-highest threat ranking in its five-step scoring system. US-CERT, meanwhile, recommended taking the somewhat-extreme steps of either disabling all ActiveX controls or setting what's called a "kill bit" using the registry to disarm only the FlashPix control. US-CERT's warning included the string to add to the Windows registry to set the FlashPix kill bit.
Although Microsoft has added additional security features to both IE 6 and IE 7 over the years to clamp down on threats posed by buggy ActiveX controls, they remain a problem. Late last month, for example, Yahoo Widgets, a platform that runs small, Web-based gadgets on a Windows machine's desktop, was tagged with a critical vulnerability in an associated ActiveX control.
Read more about security in Computerworld's Security Knowledge Center.
ActiveX
Additional Resources



Learn the important issues you must consider before starting your next mobility initiative. Get your mobility white paper from IDC now, compliments of Sybase.
White Papers & Webcasts
Death to PST Files
Download Now
The Tangled Web: Silent Threats & Invisible Enemies
Download Now
Tape Killed the IT Guy
Watch Now
Forrester Consulting Mobility Study: Taking Control of Enterprise Mobile Device Diversity
Download Now
BRM: What You Can Do To Reduce Risk In Challenging Times
Watch this webcast now!
What IT Must Do to Support Employee-Owned BlackBerry, iPhone and Android Mobile Devices
Download Now
Web 2.0, Social Media and the Dark Web - A Web Criminals Paradise?
In this discussion, learn about the challenges of protecting your users from the potentially unsafe content hidden in the "Dark Web".
eGuide: Enterprise Security
Smart Security Strategies for 2010. Read now!
Disaster Recovery 2008: Reduced Costs and Improved Performance
How long can your Enterprise afford to be without your data? With an accelerated disaster recovery program, you never have to answer this...

