Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Microsoft Altering ActiveX in Next Set of Patches InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Microsoft Altering ActiveX in Next Set of Patches

Published: 2006-03-30
Last Updated: 2006-03-30 21:46:03 UTC
by Ed Skoudis (Version: 1)
0 comment(s)

We've gotten several e-mails from diligent readers (Thank you, Juha-Matti, Richard, and others) about Microsoft's plans to alter the way ActiveX controls work in a non-security related update associated with some legal imbroglio.  According to Microsoft:

"So [On April 11] when we release the next cumulative IE security update [which will also include the non-security update associated with ActiveX], customers will only be able to interact with Microsoft ActiveX controls loaded in certain web pages after manually activating their user interfaces by clicking on it or using the TAB key and ENTER key."

That's not the end of the world, but it is worth noting.

What does this mean to you?  On April 11, some of your ActiveX controls may stop working.  You can test this new IE voodoo by downloading an optional patch for IE from Windows Update.  Microsoft will have a tool (a retro-patch?) for making IE behave like it does now, but that tool will only be supported through the June updates.

For more information, check out this advisory for the details, or the newly added section to the FAQ (as of yesterday) to this advisory, and read this blog posting from a Microsoft employee working this issue.  The blog posting includes specific advice for enterprise users (in summary... test!) and for consumers (in summary... use Windows Update and be happy!)

UPDATE 1: Some readers have written in to express their unhappiness that the non-security-related patch done for legal reasons is being released with the fix for the zero-day IE flaw.  I agree.  I don't like to see them together either.  Consider your complaint on that registered with the ISC, not that we can do anything about it.

--Ed Skoudis.

0 comment(s)
Diary Archives