Microsoft: Ask us and we'll kill your ActiveX control
Turns off buggy Yahoo controls in first-ever stand-alone fix delivered by Windows Update
Computerworld - Microsoft Corp. on Tuesday said it would lock down other vendors' software using Windows Update-delivered fixes if those companies ask Microsoft to help stymy attacks.The company explained its efforts after being asked about a security update that disabled a vulnerable ActiveX control used by Yahoo Inc.'s music player program. "If an independent software vendor discovers that they have shipped a vulnerable [ActiveX] control, they should e-mail firstname.lastname@example.org to work with Microsoft to issue a kill bit, disabling that control," Tim Rains, a spokesman for the Microsoft Security Response Center (MSRC), said in an e-mail. Earlier in the day, Microsoft released eight security updates, including one that set the "kill bit" for the Yahoo Music Jukebox — software that until a February revision was released had shipped with two buggy ActiveX controls. Setting the kill bit for an ActiveX control involves modifying the Windows registry and disables the ActiveX control. It does not patch the problem, and setting the kill bit means the control's functionality is lost. The policy is not new, said Rains, although the manner in which Microsoft served up the latest kill bit is. "Microsoft issued a security update specifically including kill bits for these ActiveX controls because it provides advantages to customers rather than wrapping them into Internet Explorer cumulative updates, which has been the usual method for distributing ActiveX kill bits," he said. "This is the first time the MSRC has grouped ActiveX kill bits into a separate security update," Rains confirmed. "Customers can precisely target vulnerabilities that are related to ActiveX controls without having to install an Internet Explorer update." He also said that the MSRC turned off the Yahoo ActiveX control because Yahoo asked Microsoft to do it. "...Yahoo came to the company directly with a request that a kill bit be issued for Yahoo's Music Jukebox," said Rains. In February, just days after a researcher rooted out flaws in a pair of ActiveX controls used by Music Jukebox, Yahoo patched the player. It required users to download and install the newest version before accessing the portal's music service. Yahoo did not reply to questions about why it asked Microsoft to issue the kill bit instructions as part of a Windows Update patch when it had already fixed Music Jukebox. As Rains noted, Microsoft has disabled ActiveX controls used by other companies' software in the past as part of broader updates for IE, Microsoft's browser. In December 2005, for example, it set the kill bit of an ActiveX control developed by a company called First4Internet Ltd. and distributed by Sony BMG Music Entertainmentas part of its since-abandoned copy-protection technology. "This kill bit is being set with the permission of the owner of the ActiveX control," Microsoft said in its MS05-054 security advisory, a cumulative update to IE 5.0. 5.5 and 6.0 published Dec. 13, 2005. First4Internet, Sony BMG and the latter's copy-protection schemes made headlines in November 2005 when a researcher revealed that the music label was installing a rootkit — software designed to hide the presence of other programs — to mask the antipiracy code it was putting on customers' PCs.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts