Sunday, October 01, 2006

More Vulnerable ActiveX Controls

Yes, just after Microsoft was finally coaxed into releasing an "out of band" patch for the actively exploited VML vulnerability last week, along came another vulnerability. Microsoft is yet to fix an earlier vulnerability in the DirectAnimation Path ActiveX Control that was found the week before the VML vulnerability.

I do wonder why we all have to try so hard to get Microsoft to release critical security patches for actively exploited vulnerabilities, such as the WMF vulnerability in December 2005, this VML issue, the DAXCTL issue and the recently discovered WebViewFolderIcon control vulnerability - sure, this one was only discovered a few days ago and is being actively exploited already, but Microsoft will try to get the patch in their regular "Black Tuesday" patches, or wait until next month. Absurd, if you ask me, to wait that long for actively exploited vulnerabilities to be patched.

Now, Jesper has already mentioned this vulnerability in his blog, complete with a workaround which will disable the vulnerable control (and also for the DAXCTL issue) which is great. Microsoft has published a Security Advisory with similar information in it.

The issue here is that not many admins look at either Jesper's blog nor the Microsoft Security Advisories, which - to my way of thinking - is frightening. I can understand the "I can use both buttons on a mouse so they made me the sysadmin of our network" people not knowing enough to secure their systems - it isn't a job they asked for and isn't a job they know how to perform properly, but I cannot understand nor accept that professional sysadmins don't keep up to date on the latest security issues relating to the systems under their control. That is "DCM Slip" fodder if ever there was any.

The bigger issue, not caused by, but at least enhanced by those sysadmins who are not keeping up with security issues, is that according to Internet Storm Centre at SANS, this issue is being actively exploited. The exploit at least installs a rootkit, and possibly does other malicious things. This is bad. Most decent AntiVirus programs should be detecting this and any variants. I know NOD32 has been detecting variants since 28 September 2006, and Trend since 30 September, 2006.

Security is not an endpoint, it is a journey. We can never, ever secure our machines - we can only increase their level of protection.


The Outspoken Wookie

No comments: