Another Critical ActiveX Flaw Exploited in Microsoft Product

According to Microsoft's security advisory released on July 13, 2009, in a second incident over a single week (2nd week of July 2009), cyber attackers are taking advantage of an unpatched serious vulnerability within an ActiveX control that could place users of Internet Explorer in danger.

The software giant has been preoccupied admitting 'zero-day' security flaws. The last acknowledgement was the 3rd during May-June 2009, and the 5th since February 2009.

Microsoft states that the security flaw, a zero-day bug, exists in Office Web Components - a collection of several ActiveX controls by which Office material is published on the Web as well shown in Internet Explorer. Furthermore, the flaw is in the ActiveX control which shows Excel documents in Internet Explorer, said the advisory.

In the meantime, Microsoft has rated the new flaw as "critical" and said that it affected Office 2003, Office XP, Office Small Business Accounting 2006, Internet Security and Acceleration 2006, and ISA 2004.

Fermin Serna, an Engineer at Microsoft Security Response Center, wrote in a blog post that attackers could exploit the flaw to execute code remotely in the context of the browse-and-get-owned environment, as reported by ComputerWorld on July 13, 2009.

When Microsoft disclosed the vulnerability, the timing was particularly uncomfortable for the company as senior executives were spending most of the day (July 13, 2009) advertising the newly prepared Office 2010 due for release in 2010 alongside Office Web that comprises modified online editions of OneNo`te, Excel, Word and PowerPoint.

Meanwhile, Microsoft had earlier discouraged users from running the flawed ActiveX control. Although the reason was not clear, specialists think it was possibly due to a looming security problem. The company suggests that till it develops a patch, users may initiate a workaround that would not let the Office Web Components Library to run in IE.

While Microsoft stated that it was on the job for developing the security update, antivirus provider Sophos reported that it knew about many Chinese websites that were giving out the attack code within a kit for Web exploits which downloaded and executed certain Windows Executable identified as 'Mal/Generic-A.'

Related article: Another Worm Using Bush’s Theme Creeps Into PCs

» SPAMfighter News - 8/3/2009