New bug-a-day project targets Microsoft's ActiveX

Month of ActiveX Bugs debuts

Another bug-a-day campaign surfaced Tuesday as the "Month of ActiveX Bugs" debuted. Although some researchers have already dismissed the project as copycat, others are warning its findings might put Windows users at risk of attack.

The sparse postings so far on the Month of ActiveX Bugs (MoAxB) site by someone identified as "shinnai" hint that the majority of the vulnerabilities will be denial-of-service (DoS) flaws that can cause the running application and/or operating system to crash, forcing a relaunch or restart.

ActiveX is a Microsoft technology for enhancing and customizing Web pages to make them more interactive. ActiveX is used for a bewildering array of chores, from initiating Microsoft's Windows Update to adding streaming media to a Web site.

As of Wednesday, MoAxB has posted two vulnerabilities. One is in a PowerPoint viewer; the other in an Excel viewer. The controls can be used to host an Excel or PowerPoint file in an online form or on a Web page, and they are sold by a developer tools company called Office OCX.

In a warning to customers of its DeepSight threat network, security vendor Symantec dismissed the debut bug, saying, "The first posted vulnerability is of little significance." But other security companies, including Danish bug tracker Secunia APS and the French firm FrSIRT.com, have pegged the ActiveX vulnerabilities as "highly critical" and "critical," respectively.

And some writers on the Full Disclosure security mailing list weren't ready to brush off the bugs simply because they seemed to be DoS vulnerabilities, not more dangerous remote-execution-type flaws. "Regardless of whether it results in remote code execution, I don't think a DoS should necessarily be discounted as frivolous or irrelevant," said one writer identified as Steven. "It might not rank up there with 'critical' or 'high' vulnerabilities, but it is a vulnerability nonetheless."

"There have been multiple instances on the [security mailing] lists throughout the years where a DoS suddenly became promoted to a remotely exploitable bug," said a writer named Robert on the same thread.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Gregg Keizer

Gregg Keizer

Computerworld
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?