Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Subscribe
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Subscribe
    Home Cybersecurity
    • Cybersecurity
    • IT Management
    • PC Hardware

    Microsoft ActiveX Security Bugs ‘Highly Critical’

    Written by

    Brian Prince
    Published December 23, 2010
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      Microsoft counted 106 security bulletins for 2010 when it released its final Patch Tuesday update for the year. But with 2010 now coming to a close, additional bugs are popping up – this time in an ActiveX control.

      According to researchers at Secunia, “highly critical” vulnerabilities have been found impacting the Microsoft WMI Administrative Tools WMI Object Viewer ActiveX Control.

      “Two vulnerabilities have been discovered in Microsoft WMI Administrative Tools, which can be exploited by malicious people to compromise a user’s system,” reported Secunia. “The vulnerabilities are caused due to the “AddContextRef()” and “ReleaseContext()” methods in the WMI Object Viewer Control (WBEM.SingleViewCtrl.1) using a value passed in the “lCtxHandle” parameter as an object pointer.”

      The vulnerabilities are confirmed in version 1.1 (WBEMSingleView.ocx 1.50.1131.0), though other versions may be affected as well, Secunia noted. A successful exploit would enable an attacker to execute arbitrary code, the firm warned.

      Dave Forstrom, director of the Trustworthy Computing at Microsoft, said there have been no reports of attacks related to the issue, and the company is investigating the matter.

      “Once we’re done investigating, we will take appropriate actions to help protect customers,” he told eWEEK.

      Historically, ActiveX bugs have been big targets, noted Andrew Storms, director of security operations at nCircle.

      “We haven’t seen a good ActiveX scare in some time so time isn’t on our side, but it’s still too early to make a call on how things will shape up with this bug,” Storms said.

      Besides the ActiveX bugs, the company is also investigating a denial-of-service issue impacting IIS FTP 7.5, which ships with Windows 7 and Windows Server 2008 R2. Proof of concept exploit code has already been made public, according to Nazim Lala, IIS security program manager at Microsoft.

      “First, this is a Denial of Service vulnerability and remote code execution is unlikely,” Lala blogged. “The vulnerability occurs when the FTP server attempts to encode Telnet IAC (Interpret As Command) character in the FTP response. The IAC character, which is represented as decimal 255 (Hex FF) in the response, needs to be encoded by the addition of another decimal 255 character in the FTP response where we find the presence of the IAC character.”

      Due to an error in this processing, it is possible to get into a state where an attacker can overwrite part of the response with a string of 0xFFs past the end of the heap buffer, Lala explained. The end result is a heap buffer overrun.

      “In that situation, the only data that a malicious client controls in this overrun is the number of bytes by which the buffer is overrun,” blogged Lala. “It cannot control the data that is overwritten…Also, the malicious client does not control the addresses where data is overridden, and the data is always overridden in a sequential manner. The FTP service 7.5 is also protected by Data Execution Prevention (DEP).”

      “We’ll continue to investigate this issue and, if necessary, we-ll take appropriate action to help protect customers,” Lala wrote. “This may include providing a security update through the monthly release process or additional guidance to help customers protect themselves.”

      Dec. 22, Microsoft issued an advisory on a previously reported vulnerability in Internet Explorer.

      Brian Prince
      Brian Prince

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.