We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
79,812 News Articles

Windows users hit by 'bug-a-day' threat

Hackers plan ActiveX denial-of-service campaign

Another bug-a-day campaign called the "Month of ActiveX Bugs" has emerged, this time targeting Microsoft. Although some researchers have already dismissed the project as copycat to the Month of Apple Bugs, others are warning its findings might put Windows users at risk of attack.

The sparse postings so far on the Month of ActiveX Bugs (MoAxB) site by someone identified as ‘shinnai’ hint that the majority of the vulnerabilities will be denial-of-service (DoS) flaws that can cause the running application and/or operating system to crash, forcing a relaunch or restart.

ActiveX is a Microsoft technology for enhancing and customising web pages to make them more interactive. ActiveX is used for a bewildering array of chores, from initiating Microsoft's Windows Update to adding streaming media to a website.

As of Wednesday, MoAxB has posted two vulnerabilities. One is in a PowerPoint viewer; the other in an Excel viewer. The controls can be used to host an Excel or PowerPoint file in an online form or on a web page, and they are sold by a developer tools company called Office OCX.

In a warning to customers of its DeepSight threat network, security vendor Symantec dismissed the debut bug, saying: "The first posted vulnerability is of little significance." But other security companies, including Danish bug tracker Secunia APS and the French firm FrSIRT.com, have pegged the ActiveX vulnerabilities as ‘highly critical’ and ‘critical’, respectively.

And some writers on the Full Disclosure security mailing list weren't ready to brush off the bugs simply because they seemed to be DoS vulnerabilities, not more dangerous remote-execution-type flaws. "Regardless of whether it results in remote code execution, I don't think a DoS should necessarily be discounted as frivolous or irrelevant," said one writer identified as Steven. "It might not rank up there with 'critical' or 'high' vulnerabilities, but it is a vulnerability nonetheless."

"There have been multiple instances on the [security mailing] lists throughout the years where a DoS suddenly became promoted to a remotely exploitable bug," said a writer named Robert on the same thread.

www.computerworld.com


IDG UK Sites

45 Best Android games: top Android games for your smartphone or tablet in 2014 (24 are free!)

IDG UK Sites

How Apple, Adobe, Microsoft and others have let us down over UltraHD and hiDPI screens

IDG UK Sites

Do you have the X-Factor too? Mix Off app puts fans in the frame

IDG UK Sites

iPad Pro release date, rumours and leaked images - 12.9 screen 'coming in 2015'