Was Microsoft Slow to Patch Video ActiveX Vulnerability?
The vulnerability in the Video ActiveX control Microsoft has warned about was reported to the company in 2008, but that doesn't mean Microsoft dragged its feet too much when it came to patching, says one of the researchers who found the vulnerability. With hackers circling, however, users may not want to wait on a patch to protect them.The unpatched vulnerability in the Video ActiveX control that Microsoft has warned about was reported to the company in 2008, but one of the security researchers who found it refused to criticize Microsoft's response to the threat. The bug was uncovered by researchers Alex Wheeler and Ryan Smith, who at the time both worked at IBM's ISS-X-Force. A Microsoft spokesperson said the company first learned of the vulnerability in 2008 and immediately began an investigation.
"I really don't think it's an entirely too long of a period," said Wheeler, who is now with TippingPoint DVLabs. "They've got a lot of bugs to deal with, a lot of bugs to patch, and they try to address the most critical and serious ones first, those being the ones ... exploited currently. This particular bug affected a lot of different areas of code so I think it's reasonable for them to take a while to address it."'
"What we've been able to determine so far is most of the early attack data was coming from IP addresses located or geo-IP located outside the U.S.," Wheeler said, adding that there is more than one variant of the exploit going around. Internet Explorer is particularly susceptible to the drive-by attacks, and Microsoft is recommending that users remove support for the ActiveX Control within Internet Explorer using all the Class Identifiers listed in the Workaround section of the Microsoft advisory. There is also a way for organizations to automatically deploy the workaround, available here. In addition to CVE-2008-0015, X-Force also identified a memory corruption vulnerability in the ActiveX control registered as CVE-2008-0020. Microsoft officials did not say when a patch would be made available for the flaw. The next round of Patch Tuesday fixes for Microsoft is scheduled for July 14.