Just a day before Microsoft releases a sizable set of patches,
including a fix for a nasty zero-day
critical vulnerability is rearing its ugly head.
Microsoft (NASDAQ: MSFT) confirmed Monday that yet another bug that
takes advantage of a hole in an old ActiveX control to violate a PC’s
security has cropped up. ActiveX controls are plug-ins for Internet
Explorer that provide additional functions to the browser.
Like a similar bug revealed
a week ago, users are already under attack, Microsoft said Monday in
a Security Advisory. In the case of the newest bug, the company would
only say that there have been “attempts” to exploit the bug.
The earlier hole, though, had reportedly already been used to infect
thousands of Web sites in China by the time Microsoft got a Security
Advisory out that contained a description of a workaround.
Beyond the workaround, the hole Microsoft warned about last week is
to be permanently fixed on July 14, in this month’s “Patch Tuesday”
drop of fixes and updates, Microsoft said.
According to Microsoft’s latest Security Advisory, Microsoft is
already working on a patch for the new hole, although it doesn’t say how
soon it will be available.
In the meantime, the workaround for the latest hole works the same
way as the workaround for last week’s zero-day. Both work because of
vulnerabilities in old or discontinued ActiveX controls. Users can block
attacks by setting that particular ActiveX control’s “kill bit” — a
registry setting that keeps the control from executing.
Microsoft is working on a more permanent fix, however.
The latest bug is in add-in software called Office Web Components,
used in publishing, for instance, spreadsheets on a Web site. In
contrast, last week’s hole is located in a part of Windows that handles
video. However, the workarounds are identical — setting the control’s
kill bit disables potential attacks.
According to Microsoft’s latest Security
Advisory, Office XP Service Pack 3 (SP3) and Office 2003 SP3 are
affected, along with Office Web Components for Office XP SP3 and Office
2003 SP3. Office 2003 Web Components for the 2007 Microsoft Office
system SP1 is also affected.
In addition, versions of Internet Security and Acceleration Server
from 2004 through 2006 also include the Office Web Components, so also
need the workaround or the patch when it’s complete and tested.
Microsoft has two options for users who want to use the workaround
while Microsoft works on a patch. It provides instructions for how
to set the Office Web Components kill switch manually. Alternately,
Microsoft has a “Fix It
for Me” site that will modify the registry automatically.