EDGE 2015 is starting in

Find out more EDGE 2015
Menu
Microsoft admits new ActiveX zero-day bug

Microsoft admits new ActiveX zero-day bug

As patch day looms, company says critical flaw affects Office users running IE

For the second time in a week, Microsoft is warning users that hackers are exploiting an unpatched, critical bug in a company-made ActiveX control, putting people running Internet Explorer (IE) at risk.

The company has been busy lately acknowledging "zero-day" vulnerabilities. Today's admission was the third in the last two months, and the fifth since February.

According to the security advisory Microsoft released early Monday, the vulnerability is in Office Web Components, a set of ActiveX controls for publishing Office content to the Web, and for displaying that content in IE. The bug is in the ActiveX control that displays Excel spreadsheets within IE, Microsoft said.

The timing of the disclosure was particularly awkward for Microsoft. Top executives spent much of Monday morning touting the new Office 2010, which will release simultaneously next year with Office Web, scaled-down online versions of Word, Excel, PowerPoint and OneNote.

Users running Office XP, Office 2003, Internet Security and Acceleration Server (ISA) 2004, ISA 2006 and Office Small Business Accounting 2006 are at risk from attack through IE, Microsoft said. It classified the bug as a "critical" threat. "This vulnerability could be used for remote code execution in a 'browse and get owned' scenario," said Fermin Serna of the Microsoft Security Response Center (MSRC) in a blog entry today.

Hackers are now exploiting the bug in the wild, Microsoft admitted.

As in its warning of last week, Microsoft again said the most likely attack scenario would involve a malicious Web site hosting the exploit. U.K.-based Sophos echoed that with some specifics today, saying that it has found several sites, "mostly hosted in China that serve the exploit as a part of a Web exploit kit."

People running non-Microsoft browsers, such as Mozilla's Firefox or Google's Chrome, are not at risk, as they don't support ActiveX.

Users with Office 2007 are not vulnerable to attack, at least by default, although they may be if they have manually downloaded and installed Office Web Components 11, the version normally bundled with Office 2003.

"[We're] working to develop a security update," confirmed Dave Forstrom, an MSRC spokesman. He did not offer up a release date, however. "This update will be released once it reaches an appropriate level of quality for broad distribution," Forstrom said in a entry on the MSRC blog.

In lieu of a patch, users can protect themselves by setting two "kill bits" to block Office Web Components from running in IE. Since setting ActiveX kill bits can be dangerous -- it requires editing the Windows registry -- Microsoft has again created an automated tool to do the heavy lifting. The so-called "Fix it" tool can be downloaded from Microsoft's support site.

Microsoft's next regularly-scheduled security updates are due tomorrow, when it expects to roll out a half-dozen bulletins. The company has already promised to push a kill bit update for last week's ActiveX bug, but was unsure Monday whether it would be able to do the same for the newest vulnerability.

EDGE 2015:: For all the latest on EDGE 2015 including the keynote speakers visit the EDGE mini-site now

2015 ARN ICT Industry Awards: Nominations for the 2015 ARN ICT Industry Awards close on June 26. NOMINATE NOW!!!

Follow Us

Join the ARN newsletter!

Error: Please check your email address.

Tags Microsoftactivexbugs

Upcoming

Slideshows

IN PICTURES: OKI Data Australia partner event (+10 photos)
Business Products

IN PICTURES: OKI Data Australia partner event (+10 photos)

OKI recently hosted its ChannelOne dealer forum for its executive series channel partners to get together and learn about the company's new high-performance ES8400 A3 multifunction series printers. After a welcome and business overview from OKI Data Australia managing director, Dennie Kawahara, delegates were given a comprehensive overview of the new product, as well as an update on the latest marketing initiatives and software solutions, before being treated to live demos and a product showcase. Partners were also given a preview of OKI’s upcoming A3 digital LED white toner printer. With more than 60 delegates attending from all over the country, the day concluded with dinner at Casa Ristorante Italiano in Sydney and several delegates also participated in a friendly game of golf the following morning.

IN PICTURES: OKI Data Australia partner event (+10 photos)
Email 101: 11 tips to manage your email

Email 101: 11 tips to manage your email

If you’re a college graduate entering the workforce, you may quickly find you aren’t prepared for the volume of email that awaits you in the corporate world. These 11 tips will help you master forwards, filtering and more.

Email 101: 11 tips to manage your email

iasset.com is a channel management ecosystem that automates all major aspects of the entire sales, marketing and service process, including data tracking, integrated learning, knowledge management and product lifecycle management.

Show Comments