Microsoft admits new ActiveX zero-day bug
As patch day looms, company says critical flaw affects Office users running IE
Computerworld - For the second time in a week, Microsoft Corp. is warning users that hackers are exploiting an unpatched, critical bug in a company-made ActiveX control, putting people running Internet Explorer at risk.
The company has been busy lately acknowledging "zero-day" vulnerabilities. Today's admission was the third in the last two months and the fifth since February.
According to the security advisory that Microsoft released early today, the vulnerability is in Office Web Components, a set of ActiveX controls for publishing Office content to the Web and for displaying that content in IE. The bug is in the ActiveX control that displays Excel spreadsheets within IE, Microsoft said.
The timing of the disclosure was particularly awkward for Microsoft. Top executives spent much of this morning touting the new Office 2010, which will be released simultaneously next year with Office Web, scaled-down online versions of Word, Excel, PowerPoint and OneNote.
Users running Office XP, Office 2003, Internet Security and Acceleration Server (ISA) 2004, ISA 2006 and Office Small Business Accounting 2006 are at risk from attack through IE, Microsoft said. It classified the bug as a "critical" threat. "This vulnerability could be used for remote code execution in a 'browse and get owned' scenario," said Fermin Serna of the Microsoft Security Response Center (MSRC) in a blog entry today.
Hackers are now exploiting the bug in the wild, Microsoft admitted.
As in its warning of last week, Microsoft again said the most likely attack scenario would involve a malicious Web site hosting the exploit. Abingdon, England-based security vendor Sophos PLC echoed that with some specifics today, saying that it has found several sites, "mostly hosted in China that serve the exploit as a part of a Web exploit kit."
People running non-Microsoft browsers, such as Mozilla's Firefox or Google's Chrome, are not at risk, since those applications don't support ActiveX.
Users of Office 2007 are not vulnerable to attack, at least by default, although they may be if they have manually downloaded and installed Office Web Components 11, the version normally bundled with Office 2003.
"[We're] working to develop a security update," confirmed Dave Forstrom, an MSRC spokesman. He did not offer up a release date, however. "This update will be released once it reaches an appropriate level of quality for broad distribution," Forstrom said in an entry on the MSRC blog.
In lieu of a patch, users can protect themselves by setting two "kill bits" to block Office Web Components from running in IE. Since setting ActiveX kill bits can be dangerous -- it requires editing the Windows registry -- Microsoft has again created an automated tool to do the heavy lifting. The so-called "Fix it" tool can be downloaded from Microsoft's support site.
Microsoft's next regularly-scheduled security updates are due tomorrow, when it expects to roll out a half-dozen bulletins. The company has already promised to push a kill bit update for last week's ActiveX bug, but said it wouldn't do the same for the newest vulnerability. "Unfortunately, the comprehensive update for this vulnerability is not quite ready for broad distribution," a company spokesman said today in an e-mail.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts