NOW READ THIS
("Security Advisory")
Submitted by: Bill Hickey
NCVA List Master
NRT-0402 Security Pros Say Kill ActiveX:
A wave of bugs in the plug-in technology used by Microsoft's Internet Explorer
browser has some security experts, including those at US-CERT, recommending that
users disable all ActiveX controls. The U. S. Computer Emergency REadiness Team,
part of the US Department of Homeland Security, put it bluntly in advisories posted
in the last two days: "US-CERT encourages users to disable ActiveX controls as
described in the Securing Your Web Browser document," the organization recommended.
US-CERT's advice was prompted by multiple vulnerabilities in high-profile ActiveX
components used by members of FAcebook and MySpace and by users of Yahoo's music
services. Three new vulnerabilities in the photo uploader software used by both
Facebook and MySpace were disclosed yesterday by a researcher, who on Monday also
posted sample attack code for a pair of critical bugs in Yahoo's Music Jukebox.
Last week, the researcher had pinned the Facebook and MySpace ActiveX controls
with two other flaws. All five of the Facebook/MySpace vulnerabilities originated
with an ActiveX control developed by Aurigma Inc.
(ComputerWorld 05FEB08)