Network News

X My Profile
View More Activity

Microsoft: Attacks on Unpatched Windows Flaw

Microsoft warned today that hackers are targeting a previously unknown security hole in Windows XP and Windows Server 2003 systems to break into vulnerable PCs. Today's advisory includes instructions on how to mitigate the threat from this flaw.

In a security alert posted today, Microsoft said the vulnerability could be used to install viruses or other software on a victim's PC if the user merely browsed a hacked or booby trapped Web site designed to exploit the security hole. Redmond says at this time it is aware of "limited, active attacks that exploit this vulnerability."

Microsoft doesn't define "limited, active" attacks in the context of this vulnerability, but the SANS Internet Storm Center is reporting that thousands of newly compromised Web sites have been seeded with code that exploits this vulnerability. SANS also says instructions for exploiting the vulnerability have been posted to a number of Chinese Web sites.

According to a press release published by Symantec, one of the sites distributing malware in this attack is the official Web site for the Russian Embassy in Washington.

Vincent Weafer, vice president of Symantec Security Response, said the flaw affects Windows XP users with Internet Explorer 6 or 7 installed, but that IE8 users are not vulnerable.

Microsoft says the problem stems from a weakness in a Microsoft Video ActiveX Control, and that it is working on an official patch to plug the security hole. In the meantime, the company says customers should consider disabling the feature because there don't appear to be any by-design uses for this ActiveX control within Internet Explorer -- the default Web browser on Windows.


To do this, affected users can click on the "Fix This Problem" icon at this page to disable the vulnerable Windows component. Microsoft notes that "while Windows Vista and Windows Server 2008 customers are not affected by this vulnerability, we recommend that they also implement the workarounds as a defense-in-depth measure."

By Brian Krebs  |  July 6, 2009; 2:40 PM ET
Categories:  Latest Warnings , New Patches , Safety Tips  | Tags: activex, ie, microsoft 0day  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: PC Invader Costs Ky. County $415,000
Next: Predicting Social Security Numbers


So is this an IE only problem?

Posted by: Hemisphire | July 6, 2009 3:00 PM | Report abuse

my question, too. If so I won't worry about it for the moment. Although I have IE on my machine I only use it (reluctantly) for checking my new website pages to see how badly IE is trashing them. Firefox, Chrome, Opera and Safari all behave predictably. IE: all bets are off. (Sorry for the vent, but I've just finished spending about two full days trying to make a new site more IE friendly without messing it up too much in all other browsers.)Arggh.

Posted by: rsh43 | July 6, 2009 3:22 PM | Report abuse

Sorry about that. I thought I'd included mention that this was an IE-specific problem. I've added a bit to clarify that. Thanks!

Posted by: BTKrebs | July 6, 2009 3:37 PM | Report abuse

I am found a tools called registryeasy who said can fix the problem at: , does anyone tested?

Posted by: bandoswuu | July 6, 2009 9:01 PM | Report abuse

Perhaps you somebody should might check out the reference noted at Http://

Thank God I don't use IE8 unless all else fails.

Posted by: | July 7, 2009 2:15 AM | Report abuse

Apparently you must have IE up to either enable or disable the workaround.

It sure didn't like Firefox 3.5. LOL

Posted by: | July 7, 2009 2:18 AM | Report abuse

Do anti-virus programs catch and stop this threat?

Posted by: JBV1 | July 7, 2009 2:40 AM | Report abuse

You have to admire their sense of humor. In the Microsoft Security Advisory article it shows the 'Fix it' thing and after you run it you are supposed to go to the "Did it fix it" section where it says "Check whether the problem is fixed. If the problem is fixed, you are finished with this article. If the problem is not fixed...".

Check it how?

Posted by: cduwel | July 7, 2009 6:05 AM | Report abuse

The "fix it" workaround button in the article is a fabulous idea. Thank you to whomever thought of implementing such a convenient tool.

Posted by: 0nl00k3r | July 7, 2009 8:58 AM | Report abuse

So, just click on a button, "Fix It", and all is well? Too funny. Nice. It downloads a file? Oh, it MUST be ok, it's from Microsoft!

Can't wait to see what the bad guys do to exploit *THAT* simplistic mindset. "Oh, click on this has the Microsoft logo so it must be ok."

Are you kidding me?

Posted by: redhatnation | July 7, 2009 9:07 AM | Report abuse

@redhatnation: the alternative is asking hundreds of millions of users who have never once edited the Windows registry to do so. by clicking on a graphic and then installing the downloaded file from, this automates that process so that user's can't screw it up and hose their system accidentally.

Posted by: BTKrebs | July 7, 2009 9:12 AM | Report abuse

@redhatnation unfortunately, you have to make the fix not more than one order of magnitude more difficult to implement than the vector of infection itself.

Be glad that they've made it as painless as possible. I'd rather run the risk of someone social engineering this solution than having thousands more bot drones spewing out spam.

As Forrest Gump said: Stupid is as stupid does.

Posted by: Annorax | July 7, 2009 8:38 PM | Report abuse

If you plan to use the MS "Fix it" workaround button, just make sure you also download the "Disable workaround" button, too.
The "fix" broke the internet access on my laptop, and I had to download the disable file to the DH's computer & save it to a CD in order to get IE7 up and running again.

Posted by: MayFran | July 8, 2009 9:42 AM | Report abuse

Too bad you weren't more specific in informing us that Firefox users
DON'T have to worry about this vulnerability. What about Safari, or Opera ?

All the pertinent information for the WHOLE community would be nice.


Posted by: tidalgraphics | July 8, 2009 10:59 AM | Report abuse


"Do anti-virus programs catch and stop this threat?"

Many do. We do here at Sophos. We detect these as s Exp/VidCtl-A and Mal/JSShell-D. We posted more information in our blog:

Posted by: bethjones | July 10, 2009 8:55 AM | Report abuse


If you have IE on your machine (and what Windows machine does not), you might not have full control or awareness of when IE, or parts of IE, are used.

For example, one of my email applications "requires IE" but I've never seen anything obvious that it is doing. I only recall seeing the requirement on the web site.

Am I therefore vulnerable to this or other IE vulnerabilities? I can't seem to prove I'm not. So although I've installed and am "only" using Firefox, I try to keep IE patched.

Posted by: goneva | July 10, 2009 3:52 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company