The precedent is set, as Microsoft killed a Yahoo ActiveX control with its last round of updates. Microsoft's
April Patch Day disclosed serious vulnerabilities and important patches to
the operating system, but in the long term I think the most interesting one was
MS08-023—Security
Update of ActiveX Kill Bits.
This update addresses two vulnerabilities by setting three "kill
bits" in the registry for those controls, disabling them. Two are
Microsoft controls that suffered from a vulnerability disclosed in this report.
The third is a third-party control, the Yahoo Music Jukebox. Until a
February update to that product, it shipped with two buggy ActiveX
controls. MS08-023 mops up afterward by making sure that the old, buggy code is
disabled.
Click Here to Watch the
Latest eWEEK Newsbreak Video.
How many other such controls are out there? Consider all those crapware
controls that were preloaded on your PC when you bought it. Secunia lists 335 security advisories that
contain the word "ActiveX" in them.
Did you ever check with Hewlett-Packard or whomever to see if there were
security updates for that notebook you bought? No? Did HP contact you about
those updates? I didn't think so. As Secunia likes to point out now and then,
the average PC has numerous old, vulnerable versions of programs, and the user
may even be unaware of them.
Even though I've always thought that ActiveX controls get a lot of
undeserved bad press, it's clear that they are worse in this regard than other
types of programs. A badly designed and vulnerable ActiveX control is a welcome
mat to hostile software on whatever Web site you are unfortunate enough to
visit, and many vendors were downright stupid over the years in their
development and deployment of ActiveX controls.
I think this is less of a problem with more recent systems and software, but
there's a world of old, bad ActiveX controls out there, and the only practical
way to get to them is through Windows Update. Few of them have automatic update
facilities, and users are unlikely to check manually. Certainly, if Windows
Update doesn't get to those systems then they're a lost cause anyway.
I'd like to think that Microsoft was listening to me when I
wrote, a few months ago, that it should offer to use Windows Update to update third
parties' applications. This is a comparatively primitive form of what I
proposed, in that nothing is actually removed. But I like the idea, and I can
relate to Microsoft wanting to start slow.
I asked Microsoft for a comment and got boilerplate ActiveX information,
like what kill bits are. Yawn. But here are the links they sent me, in case
they can be useful:
Disabling ActiveX controls
in Internet Explorer
How to tell if ActiveX
control vulnerabilities are exploitable in Internet Explorer
Helping
ensure controls cannot be misused by other sites
Ensures
users get the latest, safest version of their controls: Best Practices for
ActiveX Updates
How to design secure ActiveX
controls on several Web sites
But another
publication got better answers out of Microsoft. Computerworld cites Tim
Rains, a spokesman for the Microsoft Security Response Center (MSRC), as saying
that Microsoft will kill-bit anyone's control if they ask. Just e-mail
secure@microsoft.com and tell them who you are and what you want to do. The
policy is not new.
Let's hope developers notice and take advantage of Microsoft's offer. I
still hope that this is the begriming of a policy to use the broad reach of
Windows Update to mitigate the mess of dirty third-party code out there using
even more aggressive measures. There are definitely some big issues to work
out—principally cost and liability—but it's in everyone's interest, including
Microsoft's, for this to happen.
Security Center
Editor Larry Seltzer has worked
in and written about the computer industry since 1983.
For insights on security coverage around the Web, take a look at eWEEK.com
Security Center Editor Larry Seltzer's blog Cheap Hack.
/ 17 
