NOW READ THIS
("Security Advisory")
Submitted by: Bill Hickey
NCVA List Master
NRT-0410 US-CERT Warns of Continuing ActiveX Vulnerabilities:
A recent string of high-profile ActiveX vulnerabilities has caused the US Computer
Emergency Readiness Team (US-CERT) to advise users to disable the Microsoft browser
plug-in technology altogether. "We're seeing an increase in exploits aimed at these
types of [ActiveX] tools that are commonly used with a variety of technologies including
social networking sites and multimedia players. As online crime becomes more prominent,
malicious actors are taking advantage of these types of vulnerabilities to accomplish
their objectives," said a US-CERT spokesman. "There's simply a lot of software out there
using ActiveX that's either preloaded or embedded that users don't even realize is there,
and that's why it was necessary to make the advisory," he continued. Although features
added in Microsoft's Internet Explorer 7 may eventually help reduce the problem, ActiveX
will remain among the leading programs assaulted by opportunistic cyber-criminals, at
least for the foreseeable future, several researchers say.
Some of the most prominent examples of ActiveX exploits include malware attacks aimed at
Microsoft's Data Access Component (MDAC) software, and problems with the HTML Help ActiveX
control module in Internet Explorer that opened it to numerous types of attacks, most
notably the Phel Trojan virus, according to the article.
Disabling ActiveX is not seen as the long-term solution, however. "The issue goes beyond
ActiveX. Any plug-in architecture that has a lot of users will suffer from these same
issues; anything where you have third party developers writing code that runs inside the
browser," said a researcher.
(www.infoworld.com 19FEB08)