Microsoft's April Patch Day disclosed serious vulnerabilities and important patches to the operating system, but in the long term I think the most interesting one was MS08-023-Security Update of ActiveX Kill Bits.
This update addresses two vulnerabilities by setting three "kill bits" in the registry for those controls, disabling them. Two are Microsoft controls that suffered from a vulnerability disclosed in this report. The third is a third-party control, the Yahoo Music Jukebox. Until a February update to that product, it shipped with two buggy ActiveX controls. MS08-023 mops up afterward by making sure that the old, buggy code is disabled.
How many other such controls are out there? Consider all those crapware controls that were preloaded on your PC when you bought it. Secunia lists 335 security advisories that contain the word "ActiveX" in them.
Did you ever check with Hewlett-Packard or whomever to see if there were security updates for that notebook you bought? No? Did HP contact you about those updates? I didn't think so. As Secunia likes to point out now and then, the average PC has numerous old, vulnerable versions of programs, and the user may even be unaware of them.
Even though I've always thought that ActiveX controls get a lot of undeserved bad press, it's clear that they are worse in this regard than other types of programs. A badly designed and vulnerable ActiveX control is a welcome mat to hostile software on whatever Web site you are unfortunate enough to visit, and many vendors were downright stupid over the years in their development and deployment of ActiveX controls.
I think this is less of a problem with more recent systems and software, but there's a world of old, bad ActiveX controls out there, and the only practical way to get to them is through Windows Update. Few of them have automatic update facilities, and users are unlikely to check manually. Certainly, if Windows Update doesn't get to those systems then they're a lost cause anyway.
I'd like to think that Microsoft was listening to me when I wrote, a few months ago, that it should offer to use Windows Update to update third parties' applications. This is a comparatively primitive form of what I proposed, in that nothing is actually removed. But I like the idea, and I can relate to Microsoft wanting to start slow.
I asked Microsoft for a comment and got boilerplate ActiveX information, like what kill bits are. Yawn. But here are the links they sent me, in case they can be useful:
- Disabling ActiveX controls in Internet Explorer
- How to tell if ActiveX control vulnerabilities are exploitable in Internet Explorer
- Helping ensure controls cannot be misused by other sites
- Ensures users get the latest, safest version of their controls: Best Practices for ActiveX Updates
- How to design secure ActiveX controls on several Web sites
- MSDN: Designing secure ActiveX controls
- MSDN: Safe initialization and scripting for ActiveX controls
- Fabulous adventures in coding: Script and IE security
- Frequently asked questions about certain IE vulnerabilities
But another publication got better answers out of Microsoft. Computerworld cites Tim Rains, a spokesman for the Microsoft Security Response Center (MSRC), as saying that Microsoft will kill-bit anyone's control if they ask. Just e-mail email@example.com and tell them who you are and what you want to do. The policy is not new.
Let's hope developers notice and take advantage of Microsoft's offer. I still hope that this is the begriming of a policy to use the broad reach of Windows Update to mitigate the mess of dirty third-party code out there using even more aggressive measures. There are definitely some big issues to work out-principally cost and liability-but it's in everyone's interest, including Microsoft's, for this to happen.
Security CenterEditor Larry Seltzer has worked in and written about the computer industry since 1983.
For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's blog Cheap Hack.