Windows IT Pro is the leading independent community for IT professionals deploying Microsoft Windows server and client applications and technologies.
  
  
  Advanced Search 


July 07, 2009

Microsoft Issues Zero-Day Exploit Warning

A Web Exclusive from WinInfo
Paul Thurrott
WinInfo
InstantDoc #102424
WinInfo
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Security Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!
Microsoft released a rare warning for a "zero-day" vulnerability in an ActiveX control running on Windows XP or Server 2003 that is being exploited by hackers. The company doesn't have a patch ready to fix the issue yet, but because the vulnerability is being actively exploited, Microsoft is alerting customers and providing a temporary workaround.

"Microsoft issued Security Advisory 972890 to address a new vulnerability in a Microsoft Video ActiveX Control affecting Windows XP and Windows Server 2003 that could allow remote code execution if a user browses to a specially-crafted Web page," a Microsoft representative told me. "We are aware of limited, active attacks that exploit this vulnerability."

"Our investigation has shown that there are no by-design uses for this ActiveX Control within Internet Explorer," the representative continued. "Therefore, we recommend that all customers implement the workarounds outlined in the Security Advisory. While Windows Vista and Windows Server 2008 customers are not affected by this vulnerability, we recommend that they also implement the workarounds as a defense-in-depth measure."

Microsoft includes a simple "Fix it for me" link in its Security Advisory that will automatically implement the workaround on affected systems.

End of Article

Reader Comments
although it breaks a lot of stuff that websites do now, disabling activex, javascript, java, and all other plugins is still the safest way to surf.

scottm99999 July 07, 2009 (Article Rating: )

No Scottm99999.

-The safest way to surf is still on a Mac.

infiniteloop July 07, 2009 (Article Rating: )

"The safest way to surf is still on a Mac."

Not according to CanSecWest.

Waethorn July 07, 2009 (Article Rating: )

scottm99999: Then what's the point?

infiniteloop: Snarky, but correct

Waethorn: Show me how an ActiveX vulnerability affects OSX and then we'll talk. Until then, please STFU.

Paul: Thanks for the link. Going there now.

lotsamystuff July 07, 2009 (Article Rating: )

"The safest way to surf is still on a Mac."

To be as snarky as possible, I'd say the safest way to surf is to not surf at all. Although Mac users like to feel invincible, and their historically low marketshare numbers have kept them out of the financially driven malware writers scopes, the risks of phishing attacks are still just as possible on a Mac, Linux, or Windows. And with the increased marketshare numbers that Apple has been experiencing, there is now a small but steady stream of exploits being developed that target the Mac.

While ActiveX of course does not affect anything other than IE, Wae is correct in pointing out that even with a tough and secure operating system, like Leopard or Vista, unpatched and vulnerable third-party software can be easily exploited. Some of the most insecure software, such as QuickTime and the Adobe Reader are widely installed on both platforms. You're only as good as your weakest link.

In fact, this issue is widely mitigated on Vista/7, since they operate in protect mode.

Dipsh t Admin July 07, 2009 (Article Rating: )

Using Lynx on an Amiga is even safer than a Mac.

RudyRedSox July 07, 2009 (Article Rating: )

web still looks pretty good to me, even with no plugins (i'm a bit old-fashioned). i enable plugins now & then, for trusted sites, but never permanently; malware is just so darned pervasive. i opt for reduced functionality, but more safety.

scottm99999 July 07, 2009 (Article Rating: )

@losta:

Show me a Java security hole on the Windows client that has been open for more than 6 months, and exploited. Otherwise, go back under your bridge.

OH, and STFU yourself.

Waethorn July 08, 2009 (Article Rating: )

You must be a registered user or online subscriber to comment on this article. Please log on before posting a comment. Are you a new visitor? Register now




Top Viewed ArticlesView all articles
Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

2009 Windows IT Pro Editors' Best and Community Choice Awards

Picking a favorite product from an impressive crowd of competitive offerings is never an easy task, and such was the case with our Editors' Best and Community Choice awards this year. ...

WinInfo Short Takes: Week of November 23, 2009

An often irreverent look at some of the week's other news, including some post-PDC some soul searching, a Google Chrome OS announcement and a Microsoft response, Windows 7 off to a supposedly strong start, the Jonas Brothers and Xbox 360, and so much more ...
Security Whitepapers Reducing the Costs and Risks of Branch Office Data Protection

Solving Desktop Management Challenges in Healthcare

Solving Desktop Management Challenges in Education
Related Events Introduction to Identity Lifecycle Manager "2"

SQL Server Security: How to Secure, Monitor & Audit Your Databases

Protecting Mobile Users' Data

Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys
Related Security Resources Introducing Left-Brain.com, the online IT bookstore
Looking for books, CDs, toolkits, eBooks? Prime your mind at Left-Brain.com

Discover Windows IT Pro eLearning Series!
Clear & detailed technical information and helpful how-to's, all in our trademark no-nonsense format


ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Calculate your savings now
See how SAN is 57% cheaper than DAS over three years

Free CDs Offer Fundamental Content for IT Pros
Are you up to speed on the latest technologies and solutions? Don't miss out on your chance to get up to speed quickly on fundamental, in-depth information on some of the hottest topics in our library of content.

Let Your Users Reset Their Own Passwords: Free Download
Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.


Exchange Server 2010: Deploying Unified Communications - Virtual conference
December 1, 2009 - Free Registration. Build your Unified Communications future on a strong Exchange Server 2010 foundation.

Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide
Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!

Migration, Virtualization, Availability, and Desktop Management
Realize the importance of a workload optimization strategy...it can affect your bottom line!

Deep Dive into VMware vSphere, eLearning Series
Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro DevProConnections IT Job Hound
Left-Brain.com Technology Resource Directory asp.netPRO ITTV Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 © 2009 Penton Media, Inc. Terms of Use | Privacy Statement