May declared the Month of ActiveX Bugs
April came and went without any security experts declaring it the "Month Of Something or Other". But May has already become the Month of ActiveX Bugs (MoAxB). The initiator says that aim is to inform developers about the risks that stem from ActiveX controls. The Month of Browser Bugs already revealed how many holes can be found in ActiveX controls for Internet Explorer. But we do not need to wait for a Month of Something for at least two severe flaws in these widely used controls to be reported weekly.
Now two of the flaws made public by the MoAxB project have been added to the record: one of them in the ActiveX control for the PowerPoint Viewer and another in the Excel viewer. The report says that the flaws only cause the controls to crash. An online demonstration has been provided. However, Security service provider Secunia has ranked the problems as critical because arbitrary code can be executed. All that users need to do is visit a specially prepared website. When contacted by heise Security, Secunia confirmed this categorisation and said that it had reproduced the injection and execution of code itself.
At security mailing list Full Disclosure, there has been much criticism of the unclear rankings of security problems. Specifically, almost all reports of security holes these days say that it may be possible to execute code even when it has only been demonstrated that a program crashes. On the other hand, often enough a crash-inducing vulnerability originally categorized as "not critical" has turned out to be a full-blown security hole after a few weeks. Ina Ragragio of Secunia says that security experts therefore need to take a closer look at such vulnerabilities and not just categorize them as DoS holes.
- MoAxB - Month of ActiveX Bugs, the MoAxB's project website