RealTime IT News

Zero-Day Attacks Keep Coming for Microsoft

Just a day before Microsoft releases a sizable set of patches, including a fix for a nasty zero-day bug, another critical vulnerability is rearing its ugly head.

Microsoft (NASDAQ: MSFT) confirmed Monday that yet another bug that takes advantage of a hole in an old ActiveX control to violate a PC's security has cropped up. ActiveX controls are plug-ins for Internet Explorer that provide additional functions to the browser.

Like a similar bug revealed a week ago, users are already under attack, Microsoft said Monday in a Security Advisory. In the case of the newest bug, the company would only say that there have been "attempts" to exploit the bug.

The earlier hole, though, had reportedly already been used to infect thousands of Web sites in China by the time Microsoft got a Security Advisory out that contained a description of a workaround.

Beyond the workaround, the hole Microsoft warned about last week is scheduled to be permanently fixed on July 14, in this month's "Patch Tuesday" drop of fixes and updates, Microsoft said.

According to Microsoft's latest Security Advisory, Microsoft is already working on a patch for the new hole, although it doesn't say how soon it will be available.

In the meantime, the workaround for the latest hole works the same way as the workaround for last week's zero-day. Both work because of vulnerabilities in old or discontinued ActiveX controls. Users can block attacks by setting that particular ActiveX control's "kill bit" -- a registry setting that keeps the control from executing.

Microsoft is working on a more permanent fix, however.

The latest bug is in add-in software called Office Web Components, used in publishing, for instance, spreadsheets on a Web site. In contrast, last week's hole is located in a part of Windows that handles video. However, the workarounds are identical -- setting the control's kill bit disables potential attacks.

According to Microsoft's latest Security Advisory, Office XP Service Pack 3 (SP3) and Office 2003 SP3 are affected, along with Office Web Components for Office XP SP3 and Office 2003 SP3. Office 2003 Web Components for the 2007 Microsoft Office system SP1 is also affected.

In addition, versions of Internet Security and Acceleration Server from 2004 through 2006 also include the Office Web Components, so also need the workaround or the patch when it's complete and tested.

Microsoft has two options for users who want to use the workaround while Microsoft works on a patch. It provides instructions for how to set the Office Web Components kill switch manually. Alternately, Microsoft has a "Fix It for Me" site that will modify the registry automatically.