|Home » Industry Watch
Microsoft XMLHTTP ActiveX Zero-Day Exploit
It's yet another Windows zero-day exploit. Meaning no one - least of all Microsoft - knows where it comes from or how it works. And it affects nearly all Windows systems. But Windows is otherwise almost as secure as Unix. Of course it is.
'A vulnerability has been reported in Microsoft XML Core Services, which can be exploited by malicious people to compromise a users system.
'The vulnerability is caused due to an unspecified error in the XMLHTTP 4.0 ActiveX Control.
'Successful exploitation allows execution of arbitrary code when a user eg visits a malicious website using Internet Explorer.
'NOTE: The vulnerability is already being actively exploited.'
So reads the Secunia advisory.
- Windows 2000 Advanced Server
- Windows 2000 Datacenter Server
- Windows 2000 Professional
- Windows 2000 Server
- Windows Server 2003 Datacenter Edition
- Windows Server 2003 Enterprise Edition
- Windows Server 2003 Standard Edition
- Windows Server 2003 Web Edition
- Windows XP Home Edition
- Windows XP Professional
- XML Services (MSXML) 4.x
- Users should set the 'kill bit' for the XMLHTTP control.
- Users should 'exercise caution' when opening mail and links in mail.
- Users should (finally) enable the firewall.
- Users should keep antivirus definitions up to date.
- Users in the US who believe they've been attacked should contact their local FBI office. Users outside the US should contact either their own local law enforcement offices or Austin Danger Powers International Man of Mystery.
- Affected users in North America can also contact Microsoft Product Support Services on either 1-866-PCSAFETY or 1-866-PCIDIOCY. Users outside the US can contact the Microsoft Help and Support online.
What It Really Means
- ActiveX is a stillborn Microsoft technology based on something called OLE2. OLE2 is version 2 of OLE. OLE stands for object linking and embedding. The original plans to incorporate OLE2 into Microsoft code everywhere faltered in the mid-1990s when it was discovered the code was too crappy and bloated to be used on the Internet. ActiveX is the result. The relationship between OLE2 and ActiveX is something like Nicole Richie before and after her eating disorder: neither manifestation is acceptable.
- Microsoft raise the bar on Internet security by allowing actual program code contained in their ActiveX controls to be downloaded in stealth to anyone's computer. The prospect of any serious computer user allowing such idiocy is totally nuts.
- These ActiveX controls downloaded in stealth to your computer can do anything - such as what they're doing in this latest zero-day exploit. If you allow ActiveX on your computer, you're a fool.
- No one else on any other platform - Unix, Linux, OS X - needs any comparative technology. Strange but true: the Internet and all its other users have survived wonderfully all these years without it.
- The Microsoft strategy to propagate ActiveX is intimately intertwined with their previous plans to destroy Netscape and Sun and to totally hijack the Internet for their own purposes. Unfortunately it's just another in a long line of rather stupid ideas the Redmond clowns have come out with over the years.
- Microsoft urge you to 'exercise caution' when opening mail and clicking links in mail. They should also be urging you to exercise caution when visiting most any website online. Inasmuch as there are still zero-day exploits against Microsoft web server software that are used to contaminate the sites you visit, literally any site could contain a 'bomb'. Yet Microsoft do not - and cannot - offer you any suggestions as to how you're to exercise caution because there are none.
- A zero-day exploit is an exploit Microsoft can't explain: they don't know how it works and subsequently it cannot be fixed.
- Microsoft products have an armada of zero-day exploits waiting for you to smash into.
- Where do you want to go today?