Microsoft: Ask us and we'll kill your ActiveX control
Turns off buggy Yahoo controls in first-ever stand-alone fix delivered by Windows Update
Computerworld - Microsoft Corp. on Tuesday said it would lock down other vendors' software using Windows Update-delivered fixes if those companies ask Microsoft to help stymy attacks.The company explained its efforts after being asked about a security update that disabled a vulnerable ActiveX control used by Yahoo Inc.'s music player program. "If an independent software vendor discovers that they have shipped a vulnerable [ActiveX] control, they should e-mail firstname.lastname@example.org to work with Microsoft to issue a kill bit, disabling that control," Tim Rains, a spokesman for the Microsoft Security Response Center (MSRC), said in an e-mail. Earlier in the day, Microsoft released eight security updates, including one that set the "kill bit" for the Yahoo Music Jukebox — software that until a February revision was released had shipped with two buggy ActiveX controls. Setting the kill bit for an ActiveX control involves modifying the Windows registry and disables the ActiveX control. It does not patch the problem, and setting the kill bit means the control's functionality is lost. The policy is not new, said Rains, although the manner in which Microsoft served up the latest kill bit is. "Microsoft issued a security update specifically including kill bits for these ActiveX controls because it provides advantages to customers rather than wrapping them into Internet Explorer cumulative updates, which has been the usual method for distributing ActiveX kill bits," he said. "This is the first time the MSRC has grouped ActiveX kill bits into a separate security update," Rains confirmed. "Customers can precisely target vulnerabilities that are related to ActiveX controls without having to install an Internet Explorer update." He also said that the MSRC turned off the Yahoo ActiveX control because Yahoo asked Microsoft to do it. "...Yahoo came to the company directly with a request that a kill bit be issued for Yahoo's Music Jukebox," said Rains. In February, just days after a researcher rooted out flaws in a pair of ActiveX controls used by Music Jukebox, Yahoo patched the player. It required users to download and install the newest version before accessing the portal's music service. Yahoo did not reply to questions about why it asked Microsoft to issue the kill bit instructions as part of a Windows Update patch when it had already fixed Music Jukebox. As Rains noted, Microsoft has disabled ActiveX controls used by other companies' software in the past as part of broader updates for IE, Microsoft's browser. In December 2005, for example, it set the kill bit of an ActiveX control developed by a company called First4Internet Ltd. and distributed by Sony BMG Music Entertainmentas part of its since-abandoned copy-protection technology. "This kill bit is being set with the permission of the owner of the ActiveX control," Microsoft said in its MS05-054 security advisory, a cumulative update to IE 5.0. 5.5 and 6.0 published Dec. 13, 2005. First4Internet, Sony BMG and the latter's copy-protection schemes made headlines in November 2005 when a researcher revealed that the music label was installing a rootkit — software designed to hide the presence of other programs — to mask the antipiracy code it was putting on customers' PCs.
Read more about Security in Computerworld's Security Topic Center.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts