Microsoft was aware of IE flaw much before its exploitation
About 12 months back, Microsoft was notified of a video control vulnerability that affected its operating systems Windows Server 2003 and Windows XP and which is now being vigorously abused worldwide including on certain .com and .org websites.
However, it was only on July 6, 2009 that Microsoft declared its security advice regarding the critical flaw within its Video ActiveX Control, while saying that he already knew about the attacks that exploited it. Moreover, leader of security response communications Christopher Budd at Microsoft said that the company was informed of the vulnerability in 2008 and it immediately began an investigation. DarkReading reported this on July 7, 2009.
Budd further said that following the investigation Microsoft decided to eliminate the ActiveX Control from its Internet Explorer thinking that as the most appropriate solution. Meanwhile, the company wished to be sure about the issue, so it took some additional time for a complete assessment. Further, Microsoft was working to develop a patch to address the flaw and would issue it soon as it would reach a suitable quality for a widespread distribution, Budd added.
Meanwhile, the company suggested that computer users establish a "kill bit" to disable the Video ActiveX Control so that they remained guarded from attacks that could let a hacker capture the user's privileges on his system, or to contaminate IE 6&7 users even if no malicious link was employed.
It also said the attacks exploiting the vulnerability are chiefly emanating from Chinese domains with focus on capturing credentials for online games. However, according to security experts, the vulnerability could be potentially exploited for still more dangerous reasons.
Security and vulnerability research lab iDefense, in the meantime, released a press report on July 7, 2009 that gives more information about the flaw as also ensuing attacks. Applauding Microsoft, the statement says that the company has quite graciously shared its developments during its preparation of the fix as also has been diligently undertaking remedial efforts, adding that the unique nature of the circumstances and mechanics regarding the flaw is understandably why it took Microsoft the time to prepare the patch, reports DarkReading.
Related article: Microsoft Patches Live OneCare to Tackle Quarantined E-Mails
» SPAMfighter News - 28-07-2009