| 1 comments ]

On Tuesday, Microsoft released an emergency patch to protect Internet Explorer users from a hole in technology used to build ActiveX controls and other web application components that has been targeted in attacks.

According to world news, a critical patch for all versions of IE will protect consumers, while a security update for Visual Studio will help developers fix the controls and components they built that could be affected.

Microsoft also has had discussions with Adobe, Sun and Google about some components involving their software that are affected, said Mike Reavey, director of the Microsoft Security Response Center. He declined to elaborate.

Internet Explorer users running Flash Player and Shockwave Player are vulnerable, Adobe said in a blog post that contains links to the Adobe security bulletins for those products.

A Google representative said the company has been working with Microsoft on the issues but declined to comment further. And a Sun representative did not respond to a call seeking comment.

Cisco will release free software updates for any of its software that is affected by the vulnerability and is making available workarounds that mitigate the issue, the company said in a detailed advisory.

The company released two security updates that deal with a vulnerability in Microsoft's Active Template Library, which is used to build components for web applications and which could be targeted to take control of the computers of web surfers visiting sites hosting malicious code.

The critical update, MS-09034, is targeted at IE users. The other update, MS-09035, is targeted at Visual Studio developers, and is rated moderate. It affects Visual Studio 2005 and 2008.

"A library can get used in a lot of places, and vulnerabilities in libraries are challenging," Reavey said. "It's an industry-wide problem when [vulnerabilities] do happen."

"The vulnerability is in the controls, not IE; however, to provide protections while developers update the controls, IE (versions that are patched will block attacks)," he said.

The company warned on Friday that a security update would come on Tuesday instead of waiting for the next Patch Tuesday cycle on 11 August. This is only the ninth out-of-band release Microsoft has had, according to Reavey.

Microsoft first warned about the ActiveX issue on 6 July, saying a vulnerability in its Video ActiveX Control could allow an attacker to take control of a PC if the user visits a malicious website and attackers were exploiting the hole. The company offered a workaround for the issue.

During the July Patch Tuesday release the following week, Microsoft still did not have a patch ready and was recommending a manual 'kill bit' method to disable ActiveX, or sending customers to a 'Fix it for me' website.

However, researchers figured out a way to get around the kill bit protection mechanism, thus rendering it ineffective and exposing the system to attack, said Eric Schultze, chief technology officer at Shavlik Technologies.

1 comments

Make money from home !!! Work online. said... @ July 30, 2009 at 5:50 PM

I like this article it gives me an idea on how to chose, I also found some helpfull tips about that in this Gadgets Website , Thanks a lot.

Post a Comment

 
Sammy Feliciano