Microsoft this week said it would lock down other vendors' software using Windows Update-delivered fixes if those companies ask Microsoft to help stymy attacks. The company explained its efforts after being asked about a security update that disabled a vulnerable ActiveX control used by Yahoo's music player program.
"If an independent software vendor discovers that they have shipped a vulnerable [ActiveX] control, they should e-mail email@example.com to work with Microsoft to issue a kill bit, disabling that control," Tim Rains, a spokesman for the Microsoft Security Response Center (MSRC), said in an e-mail.
Earlier in the day, Microsoft released eight security updates, including one that set the "kill bit" for the Yahoo Music Jukebox -- software that until a February revision was released had shipped with two buggy ActiveX controls.
Setting the kill bit for an ActiveX control involves modifying the Windows registry and disables the ActiveX control. It does not patch the problem, and setting the kill bit means the control's functionality is lost. The policy is not new, said Rains, although the manner in which Microsoft served up the latest kill bit is. "Microsoft issued a security update specifically including kill bits for these ActiveX controls because it provides advantages to customers rather than wrapping them into Internet Explorer cumulative updates, which has been the usual method for distributing ActiveX kill bits," he said.
"This is the first time the MSRC has grouped ActiveX kill bits into a separate security update," Rains confirmed. "Customers can precisely target vulnerabilities that are related to ActiveX controls without having to install an Internet Explorer update." He also said that the MSRC turned off the Yahoo ActiveX control because Yahoo asked Microsoft to do it. "...Yahoo came to the company directly with a request that a kill bit be issued for Yahoo's Music Jukebox," said Rains.
In February, just days after a researcher rooted out flaws in a pair of ActiveX controls used by Music Jukebox, Yahoo patched the player. It required users to download and install the newest version before accessing the portal's music service. Yahoo did not reply to questions about why it asked Microsoft to issue the kill bit instructions as part of a Windows Update patch when it had already fixed Music Jukebox.
As Rains noted, Microsoft has disabled ActiveX controls used by other companies' software in the past as part of broader updates for IE, Microsoft's browser. In December 2005, for example, it set the kill bit of an ActiveX control developed by a company called First4Internet Ltd. and distributed by Sony BMG Music Entertainment as part of its since-abandoned copy-protection technology.
"This kill bit is being set with the permission of the owner of the ActiveX control," Microsoft said in its MS05-054 security advisory, a cumulative update to IE 5.0. 5.5 and 6.0 published Dec. 13, 2005.
First4Internet, Sony BMG and the latter's copy-protection schemes made headlines in November 2005 when a researcher revealed that the music label was installing a rootkit -- software designed to hide the presence of other programs -- to mask the anti-piracy code it was putting on customers' PCs.