Microsoft warns of attacks on new ActiveX hole

Attackers are exploiting a new critical ActiveX hole in Microsoft Office to take control of PCs by luring Internet Explorer users to malicious Web sites, Microsoft said on Monday.

The zero-day hole, the third one announced by Microsoft in less than two months, is in Office Web Components ActiveX controls used to display and publish spreadsheets, charts, and databases to the Web.

It affects Office XP, Office 2003, Internet Security and Acceleration Server 2004 and 2006, as well as Office Small Business Accounting 2006.

The security advisory details a manual workaround, or people can use Microsoft's Fix-It tool to implement the workaround automatically.

Microsoft said it was working on a security update to patch the hole.

Antivirus vendor Sophos, meanwhile, said in a blog posting on its site that it had received reports of several Web sites, mostly in China, serving the exploit as part of a Web exploit kit that downloads and runs a Windows Executable detected as "Mal/Generic-A."

[monkeyfun14]

Doesn't affect Vista or IE 8 cnet loves to fail to report that though so Microsoft can still be attacked for a dated OS they barely support.

[BK216]

EXACTLY...no matter what people say/claim about Vista....you can't change the fact that its more secure and less vulnerable than XP

[lennie22]

Elinor, do better next time.

[BogusBasin]

Die Microsoft Die!

Amen

[pithenumber]

@BogusBasin
Die Troll Die!

Amen

[jessiethe3rd]

Side note - both Office 2003 and XP are unsupported - they are out of traditional lifecycle support. This would like bringing up some issue in a unsupported OS from Apple and saying that there's exploits in its no longer supported Office suite.

[Random_Walk]

The Microsoft advisory mentions Windows Server 2003, Windows Server 2008, and ISA 2006 (which is the latest version, as Forefront Threat Management Gateway is still in beta)

[JoeF2]

The MS fanboys again...
What does an exploit in MS Office have to do with XP or Vista or IE8???
It affects Vista as well if the particular Office version is installed there.
Last I looked, Vista doesn't come with an office package.

[rmullen0]

You need to read more carefully, it said Office XP, not Windows XP. It reported the facts. CNet isn't a marketting tool for Microsoft. If Microsoft makes products that are full of security holes, they deserve the bad publicity.

[monkeyfun14]

@rmullen0

They sure do Apples marketing even security issues with OSX they try to downplay.

[FF2009]

Windowz Rockzz LOL I like activeX holes on my machine. You cant say your OS can do the same, can you? I thought so.

[ddesy]

Another exploited hole in an MS product? Using ActiveX no less? No surprise.

[slapppy]

Time to add more to that "MICROSOFT TAX" thats currently running 10+Billion with the Conficker worm.

[monkeyfun14]

Lmfao so uneducated.

[Vegaman_Dan]

Excellent point. Let's examine that 10+ billion number more closely, shall we?

You trotted out the figure. Cite your source or face ridicule and shame brought upon your family name for generations to come.

[slapppy]

You want it? You got it. ZD/Net even posted the data. Or you can get the source here:

http://cybersecureinstitute.org/blog/?p=15

[BogusBasin]

@Vegaman

Oooh burn! Mister "Cite your sources or face shame". I see you do this all the time. Everyone is responsible to cite their sources but you. Why would anyone need to cite their sources about the Evil Empire that is MS anyway? Is it not plainly obvious to all but the most dedicated MS zealots?

Here's another source for you. 60% of businesses to avoid Win7.
http://www.electronista.com/articles/09/07/13/60pc.of.biz.avoiding.win.7/

Why is that Vegaman? Could it have anything to do with their history of burning anyone that does business with them? People are getting gun shy and for good reason. You can have them. Die Microsoft Die!

Amen

[monkeyfun14]

@BogusBasin

Thank god OSX is so successful in the corporate world.

Oh wait.....

[ImRaptor]

"To date, the Conficker worm has infected countless computers?estimates range wildly from 200,000 to more than 10 million."

I think you need to reread that article you linked to slapppy. I saw no mention of 10+billion.

That and I won't even go into the useless aspect a blog has on relevant data with no refferences.

[handydan918]

10+ billion. The link you cite uses the word "million".

You, sir, are imprecise at best, illiterate at worst. You are of by several orders of magnitude.

That said, a few million MORE micro-bots can no longer be news, can it? Especially ANOTHER active-xploit? At some point, doesn't repeated failure create a pattern resulting in predictability?

[BogusBasin]

@Monkeyfun

Why do you always bring up Apple and OSX? Why!?

[Vegaman_Dan]

@slapppy:

"Time to add more to that "MICROSOFT TAX" thats currently running 10+Billion with the Conficker worm. "
"You want it? You got it. ZD/Net even posted the data. Or you can get the source here:"

You qouoted a blog... not a real article. And even then you got the figures wrong. It's even several years out of date. Here's the quote:

""To date, the Conficker worm has infected countless computers?estimates range wildly from 200,000 to more than 10 million. "

Now math may not be my strong suit, but 10 million versus 10 billion is a bit ... well, wrong. But don't worry, you were only off by 9.9 BILLION, or incorrect 99.9%. Now you can see why I challenged you on it. :)

@BogusBasin:

You may want to look at the sources you're citing. I don't mean the Reuters news article/blog, but the sources that THEY are using. And I mean by that by doing your research to get the real source, not what someone tells you.

Here's the resons for the 60% figure you are trotting out:

"Many of the more than 1,000 companies that responded to a survey by ScriptLogic Corp say they have economized by cutting back on software updates and lack the resources to deploy Microsoft's latest offering."

""Forty-two percent said their biggest reason for avoiding Windows 7 was a "lack of time and resources.""

They don't say anything about Windows 7 being an issue, only that the companies surveyed are in a conservatin mode at this time and aren't looking at *any* OS purchase or upgrade and that includes OS X and Linux.

I'm sorry, but if you want to play the game, you have to play with the big boys with actual reasearch. By the way, note that the survey company did the survey for a fee, but they are not saying who paid for the survey or what the purpose was for. THAT would be very interesting to find out, wouldn't you say?

Yes, I will challenge people when they trot out numbers or figures that I question the validity. You tossed out a link blindly, perhaps hoping nobody would look at that link, or what the source of that article was or to follow the bread crumbs to the original content which is quite different from what you made of it. You have to be willing to go to the real source and not let others do it for you. In this case... I'm sorry, but you got called for BS and caught as well.

[n3td3v]

At least there is a reason to use Microsoft's new anti-virus product "Security Essentials", I've got my copy right here.

[lennie22]

that or if you don't have it essentials you can just upgrade to IE8

[alegr]

I can hear this dialog in 2000, 2001, 2002, 2003, etc:

Security: "Let's deprecate ActiveX because of security problems"
MS: "But they're so convenient! We can't inconvenience users!"

[Lerianis3]

Actually, that is exactly right. ActiveX controls are convenient, and that is why sites STILL USE THEM!

[Random_Walk]

Funny, but it's quite rare to find ActiveX outside of sites whose domain names end in microsoft.com or whose URL's don't end in "/owa" these days... can you list some not-obscure websites that require it, perhaps?

[jake3373]

Okay, I only know ONE site that uses them:
microsoft.com

If anyone finds any other sites that use them, please reply.

[cnation]

so what big deal Microsoft suck anyway

[monkeyfun14]

90% of us don't think so

[rtripathi]

I think 60% think so

[NotForNuthin]

42% of us don't think at all

[monkeyfun14]

87% of us don't care at all.

[ralfthedog]

100% of me thinks Microsoft can go sniff a cat.

[Seaspray0]

with 6% sales tax

[Random_Walk]

...and 30% more in every box.

[Vegaman_Dan]

20% of us like tartar sauce wth our french fries.

[jake3373]

While 90% like ketchup with french fries

[tektaktyks]

i got an email about this last week,from zone alarm

[jessiethe3rd]

Love how CNET points out out of support products by Microsoft need security patches but fail to mention things like iPhone's 46 critical flaw patches in iPhone 3.0.

[monkeyfun14]

That would put Apple in bad light you know we can't be having that around here. xD

[biffhenerson]

People just like to beat down success. Media does it all of the time. They will continue to pick on Microsoft until it is broken into little pieces, just like Michael Jackson. Then they will report how sad they are and blame others when, in fact, they helpped kill the goose that lays the golden eggs. Cnet loves to cast stones at Microsoft. It would be fine if they cast stones at others as well. Oh well, media is media.

[Random_Walk]

Err, love him or hate him, Michael Jackson did manage to help break the color barrier in entertainment. Dunno what Microsoft can claim by comparison...

[Vegaman_Dan]

@Random_Walk:

Huh? Michael Jackson did everything possible to remove any trace of his ancestry to race and distance himself from all those that made him successufl.

I think there were plenty of succesful black entertainers before Jackson... all whom deserve far more respect.

[Random_Walk]

"Michael Jackson did everything possible to remove any trace of his ancestry to race and distance himself from all those that made him successufl."

Google for "Jackson Five", then get back to me. Their first national performance was somewhere around 1968 if that helps.

"I think there were plenty of succesful black entertainers before Jackson..."

Successful with which demographics? I don't doubt the legions of Jazz near-demigods and early rock pioneers like Little Richard, James Brown, Jimi Hendrix, et al, but look at the 'mainstream' demographic, and you'll find five black kids there, led by the youngest of them.

Personally, I'm not all that into the guy's music, but saying that he did nothing to promote racial equality is pretty frickin' ignorant of history at large.

[rkobzarev]

Who thought that putting 'X' and 'hole' is a good idea ;) But seriously, why any one is suprsided and yet another Active 'X-hole'.

[xenophod]

Access Router, disabled ActiveX - problem solved.

[trellend]

My personal comp got this attack from my own website, courtesy of keyloggers snaggin my ftp logins and modifying my website. Of course that can't happen again (locked down), but this spread very rapidly. One of the supposed chinese servers (it's real) is update.cn. That's the one that iframed my site after they had the ftp. Fun Fun Fun. All fixed, but how many hours? MS....... grrrr.

[Hokulea]

The biggest security "hole" will always be the space between the ears of the person sitting at the keyboard. This article is more than a little sparse regarding what software is affected and what is not.

One more reason to block all China domains at the firewall.

[Lerianis3]

No,, because there are plenty of LEGITIMATE chinese domains.... the real problem is that people are NOT USING THEIR BRAINS before allowing a ActiveX control to run.

[Dalkorian]

Lerianis3 should replace the word "before" with "and".

[JoeF2]

The real problem is of course the abomination called ActiveX.
It is high time that MS removes ActiveX from their OS offerings.
Content from the outside world should never have access to the whole OS. Security 101. Everybody except MS has known that for decades. But MS probably sees the introduction of a sandbox model as another "milestone" for IE...