MS Admits 2008 ActiveX Security Exploit, Still No Fix

Microsoft is in some serious trouble after sources confirmed that the company had known about the recent IE6 and IE7 virus attacks (also known as the infamous "browse and get owned" attacks) for more than a year.

Hackers have been exploiting a vulnerability in ActiveX by enticing innocent users to click on infected web pages while planting "drive-by" attack codes within legitimate sites. According to ScanSafe, the number of compromised sites has entered into the millions since the attacks first began.

Attacks Predicted One Year in Advance

If the viruses and malware weren't bad enough, Mike Reavey, director of Microsoft's Security Response Center (MSRC), let slip the fact that the company first received word of the critical flaw in early spring 2008.

On the heels of this startling revelation, two more researchers, Ryan Smith and Alex Wheeler, were said to have presented knowledge of the bug to Microsoft when employed with IBM's ISS X-Force back in 2007.

Smith and Wheeler, who now work for VeriSign iDefense and 3Com's TippingPoint DVLabs respectively, declined to reveal any additional information that would further incriminate Microsoft. However, the bug's CVE (Common Vulnerabilities and Exposures) number pointed to an early 2008 reporting date. (Source: cio.com)

Suitable Patch Takes Time

Smith did later add that the nature of the flaw has much to do with the length of time needed to create a suitable patch.

Still, analysts have countered this excuse by arguing that 16-18 months is far too long to go without some kind of acceptable solution, especially for a company the size of Microsoft. For most vulnerabilities, patches are made available before the attack can occur.

Tomorrow's Patch is a Workaround

Mike Reavey also did not make matters any easier for Microsoft when he reminded everyone that a fix was still not available at this time. While he did anticipate that a patch was likely to be released tomorrow (referring to the July 14 monthly security update) he admitted that these would not be full-fledged patches. (Source: computerworld.com)

The updates are expected to set 45 "kill bits" in the Windows registry, disabling the ActiveX control.

Microsoft also published a free tool last Monday that essentially did the same thing, but it requires a person to sit at each computer, browse over to a support site, download the tool and then activate it. That tool can be downloaded from Microsoft (KB972890).