InactiveX

Posted on 08-07-2009

Yet another security vulnerability discovered in an ActiveX control for IE that Microsoft likely forgot even existed.

Like an excited child Microsoft shows off its new toys with every new OS, only to forget to put it away when it's broken. The result, Windows is now a mess of dlls and activeX controls, which have far outlived their use and purpose.

Yet how does it really matter though if you have a few extra actievX controls here and there? We all have enough storage space now, don't we?

Each active piece of code opens up a new vector of attack from malicious parties. As in the case of this ActiveX component which already been exploited. For a user using Microsoft Internet Explorer on Windows XP or 2003, the exploit can give a remote full control of your computer just by making you visit a website.

According to Microsoft's Security Advisory:

Related Stories:

Our investigation has shown that there are no by-design uses for this ActiveX Control in Internet Explorer which includes all of the Class Identifiers within the msvidctl.dll that hosts this ActiveX Control.

Essentially the control is useless and quite unusually Microsoft gives you instructions and asks you to remove the offending registry entries! Although Microsoft will have a patch out soon.

For those of you using Internet Explorer, Microsoft recommends that you disable the ActiveX even if you are using a newer OS. You can find more information about how to do this here , or you can use their automated workaround available here. The workaround merely patches the registry for disabling the ActiveX for you, if you're uncomfortable with mucking about your registry yourself.

One would expect that the frequency of such exploits coming about would turn people away from IE, yet it remains the dominant browser even today. If this keeps up though, the inertia can only last so long.