Microsoft warns of hole in Video ActiveX control

Microsoft on Monday warned of a vulnerability in its Video ActiveX Control that could allow an attacker to take control of a PC if the user visits a malicious Web site.

There have been limited attacks exploiting the hole, which affects Windows XP and Windows Server 2003, Microsoft said on its Security Response Center blog.

This is the second DirectShow security hole Microsoft has announced in the past few months. The company has yet to provide a security update for a vulnerability announced in May that involves the way DirectX handles QuickTime files.

Since there are no by-design uses for the ActiveX Control within Internet Explorer, Microsoft is recommending that users implement a workaround outlined in the security advisory. Customers can automatically implement the workaround by following the instructions under "Fix It For Me" in the Knowledge Base article for advisory number 972890 on the Microsoft support site.

Asked to explain what is meant by "no by-design uses," Christopher Budd, Security Response Communications lead, said: "In older operating systems like Windows XP that were originally developed under older programming methodologies, this ActiveX control was enabled for use within Internet Explorer by default to allow for possible future uses. These uses never materialized and as part of the more stringent security requirements that Windows Vista was developed under, this control was later disabled for use within Internet Explorer."

Even though Windows Vista and Windows Server 2008 are not affected by the vulnerability, Microsoft is recommending that users of those products also use the workaround.

Microsoft is working on a security update and will release it when the quality is at the appropriate level for broad distribution, the company said.

The Microsoft Video Control object is an ActiveX control that connects Microsoft DirectShow filters for use in capturing, recording, and playing video. The control is the main component used in Windows Media Center for building filter graphs for recording and playing television video.

When it is used in IE, the control can corrupt the system state in such a way that arbitrary code could be run by an attacker. If the user is logged in with administrative rights, the attacker could take complete control of the system.

Antivirus vendor Symantec said it was seeing the flaw being exploited in China and other parts of Asia and cited reports that indicate thousands of Web sites are hosting the exploit.

Internet Explorer versions 6 and 7 are at risk, but people running IE 8 are not vulnerable, Symantec said.

Updated July 7 8:25 a.m. PDT with Microsoft explanation of "by-design," and July 6 at 11:45 a.m. PDT with background on a previous DirectShow hole and more details on exploits of the most recent hole.

[monkeyfun14]

Okay they need to get rid of this damn thing.

No one uses it but them.

[Random_Walk]

ActiveX? I agree, perfectly... it would also be a big step towards maintaining web standards.

OTOH, There are likely to be a zillion XP users who desperately need it for updates, sicne I doubt that Microsoft could (or rather, would) replace the functionality with an applet or a stand-alone client-side app (which in all honesty they should have done, but...)

[Vegaman_Dan]

Hmm, so there's a useful purpose in the 'Fix it fo me" feature finally? Not bad.

[monkeyfun14]

Sad thing is if they were to abandon Active X their is still a huge group of people that are going to say they are just abandoning a platform.

So they are damned if they do and damned if they don't =S

[Lerianis3]

Right in one! Fact is that Active X was a good idea AT THE TIME.... until we realized that penetrating Windows XP was so farking easy! I'm betting that if this control was run in IE protected mode in Vista, that the virus wouldn't be able to get into your system.

[sevenalive]

Well i agree they should get rid of it for Vista and up, they really can't for XP. XP uses activeX for it's windows update website, vista, 2008, 7 have a program and don't use a website for windows updates.

They are not going to getrid of it because they would have to rely of automatic updates of XP, or build a whole new update system like they did for vista. IE 8 should of gotten rid of it and that is the cause of most exploits on the windows platform.

[monkeyfun14]

When XP goes into unsupported mode in the year 2060 maybe they will get rid of it.


[sarcasm for those you don't get it]

[jake3373]

The problem here is that too many people won't switch from XP - I was one of them, until I tried Windows 7 RC. (And yes, I did have Vista on another computer - as a network developer, Vista is the worst OS)

[regulas1]

I love this, right under this article, just above the comment section is a advert trying to install malware, "Click here to scan your PC" for the latest virus, LOL I should click it and see how my Linux rig handles it.

[monkeyfun14]

Probably require you to manually compile it.

Sorry had to say it lol.

[Lerianis3]

Seems like Microsoft needs to stop including some of these ActiveX controls until they are written so that they don't have any holes in them. ActiveX is no more secure or insecure as having plugins in something like Firefox, those can be taken advantage of if they are poorly written as well.

[Random_Walk]

I sincerely doubt that... ActiveX was written specifically to allow a path between web server and client userland.

Also, FF doesn't come with the add-ons you mention (some do exist with this functionality - one of them written by Microsoft, no less for .NET compatibility, IIRC).

IE on the other hand gives you ActiveX whether you want it or not (in all fairness it can be turned off in many different ways if you know how, but then half of microsoft.com would go dark...)

[Lerianis3]

Random_Walk, you are forgetting that most people using Firefox will have one or more plugins, so yes: if they find a hole in a WIDELY USED plugin, it can be exploited just as easily as ActiveX can.

As to ActiveX being able to be turned off.... yeah, it can, but as you said, most sites on the internet use AT LEAST one ActiveX control in them, save if they are written for Firefox.

[Random_Walk]

That's the thing - they have to go get the add-ons. They're not there by default.

...and where did I say that "most" sites use "at least one ActiveX control"? I find them to be somewhat rare... outside of microsoft.com, anyway.

[jake3373]

@Lerianis
I only know one site that uses ActiveX: microsoft.com

I am a web developer, and I would never actually develop for Internet Explorer only - then the other half of the world who knows that there are better things than IE (like the ones who use Firefox, Chrome, Safari, Opera...) would probably instantly leave my site.

[Inconnux]

Active X was always a security joke... any big surprises that theres another hole?

[baconstang]

Wow! This is a first. No Mac commenters.

[gertruded]

The article says it all, why even comment.

[dbloyd]

LOL

[queticomn]

Not a mac man here, I'm a Penguin man, l@ugh right along with you macheads! hehehe.

[jake3373]

I am a windows user, but I am still against ActiveX

[blleong2008]

The workaround that MS has posted for the security problem http://support.microsoft.com/kb/972890#FixItForMe is incorrectly labelled. The workaround should be DISABLING the MS Video ActiveX Control. The button on that page that says "Enable workaround" downloads a .msi program that ENABLES the ActiveX control, according to the tooltip for the .msi file. The button that says "Disable workaround" downloads a .msi program that DISABLES the control, again according to its tooltip.

If the tooltips for the .msi programs are to be believed over the button labels on MS's web page, then users are doing exactly the wrong thing when they think that they are applying a temporary fix to this serious security problem. Microsoft needs to straighten this out and then issue yet another media release telling people who downloaded the earlier "fix" that they are still vulnerable.

This screwup still exists as of July 6 at 20:40.

[guest86]

Oh really!!!!?

I don't use Internet Explorer anymore. Move to XP and set up Firefox and SeaMonkey running very wonderful without worry about risk affect on IE only. Right?

Microsoft must stop force people use Windows Vista then move back to XP. Windows XP is very great so far! Windows XP fans must stick with XP because a lot of people complaint on Vista. Wait look froward to Windows 7 or newer. XP is best for old and new gaming since like old school fans.

[twitter_1963]

ActiveX is a plug-in like any other, ADOBE, FLEX . Look how plugins are available for Firefox, many of them buggy and certainly all of them open to security problems. Look here for Mozilla known vulnerabilities if you don't believe me! http://www.mozilla.org/security/known-vulnerabilities/ - Firefox, IE and Chrome are just Fat Clients and like all FAT CLIENTS built by someone else that connect to the outside world (even Safari and Apple) have security issues. Search Google for "APPLE SECURITY PATCHES" and you'll see, pro-rate for the number of IE V Safari users, Apple does have a high risk too.

93% of business users, maybe higher use IE. Firefox has been out for years and even CIO's and IT Managers that use Firefox personally wouldn't risk their user base on it!

[shellcodes_coder]

Another reason to use Vista and 7. Anyways Windows 7 RTM will be released to MSDN subscribers within a couple of days. Can't wait

[king-salomon1000]

Narkolayev discovered this issue, read his blog.

[slapppy]

That Microsoft TAX running total is getting bigger and bigger every day. Unlike the so called TAX for Macs, the TAX for Microsoft has cost over 9 billions dollars alone from the last worm. Good job MS.

[weegg]

Active X must die.

[chuckbexmsft]

Many of those making comments should re-read the article. A direct-show exploit was found by buggy QuickTime software. Direct-show should do a better job of protecting from sloppy coders, but ActiveX has no more to do with the exploit than the compiler used to build the code! If they want to complain about buggy, sloppy code, then they should be complaining about the QuickTime developers.

[gidstelios]

Active X??? What's that??? I'm kidding. I stopped using IE long time ago. Still Microsoft needs to rebuild their site if they are going to get rid of Active X.