ActiveX Security Hole Stumps Microsoft

The recent report of a security hole in Microsoft's Video ActiveX Control appears to have the Redmond-based company stumped. According to insiders, Microsoft is investigating a flaw that targets a component it didn't even realize was still being used.

Security reports suggest that the vulnerability has already been exploited and that a solution must be produced by Microsoft as soon as possible. The company is investigating and promises to have a fix soon, but in the meantime has revealed that only select operating systems, including Windows XP and Windows Server 2003, are affected. Users of Windows Vista and Windows Server 2008 have escaped harm, but Microsoft is recommending that even these people perform the workaround described below or pay attention to news of a security update. (Source: cnet.com)

"No By-Design Uses..."

The reason this has caught Microsoft so off guard is because few systems continue to use the ActiveX Control being targeted. In a statement, the company said that there are "no by-design uses for this ActiveX Control in Internet Explorer which includes all of the Class Identifiers within the msvidctl.dll that hosts this ActiveX Control."

The threat is significant for those vulnerable. According to Microsoft, those using Internet Explorer could be susceptible to remote code execution -- in other words, if a hacker knows what they're doing, they could take over a user's computer completely. It's a sinister and ingenious plan, and it may not require any user intervention once the process has started. (Source: tgdaily.com)

Workaround Available

Those who can't wait for the fix are instructed to perform a workaround for the hole involving the manipulation of the Windows Registry via Windows Registry Editor. It allows users to design a kill bit for 45 different CLSIDs, or Class Identifiers. Microsoft's guide to this process can be found here, but be warned: this is for advanced users only.