NOW READ THIS
("Security Advisory")
Submitted by: Bill Hickey
NCVA List Master
NRT-0483 Microsoft Offers ActiveX Help:
Microsoft Corporation said it will lock down other vendors' software using Windows
Update-delivered fixes, if those companies ask Microsoft to help stymie attacks.
The company explained its efforts after being asked about a security update that
disabled a vulnerable ActiveX control used by Yahoo's music player program. A
spokesman for the Microsoft Security Response Center (MSRC) said if an independent
software vendor discoveres that they have shipped a vulnerable ActiveX control,
they should email secure@microsoft.com to work with Microsoft to issue a kill bit,
disabling that control. Earlier on Tuesday, 08APR, Microsoft released eight security
updates, including one that set the "kill bit" for the Yahoo Music Jukebox - software
that until a February revision was released had shipped with two buggy ActiveX controls.
Setting the kill bit for an ActiveX control involves modifying the Windows registry
and disables the ActiveX control. It does not patch the problem, and setting the kill
bit means the control's functionality is lost. Microsoft has disabled ActiveX controls
used by other companies' software in the past as part of broader updates for IE,
Microsoft's browser.
(ComputerWorld 08APR08)