Another bug-a-day campaign surfaced Tuesday as the “Month of ActiveX Bugs” debuted. Although some researchers have already dismissed the project as copycat, others are warning its findings might put Windows users at risk of attack.
The sparse postings so far on the Month of ActiveX Bugs (MoAxB) site by someone identified as “shinnai” hint that the majority of the vulnerabilities will be denial-of-service (DoS) flaws that can cause the running application and/or operating system to crash, forcing a relaunch or restart.
ActiveX is a Microsoft Corp. technology for enhancing and customizing Web pages to make them more interactive. ActiveX is used for a bewildering array of chores, from initiating Microsoft’s Windows Update to adding streaming media to a Web site.
As of Wednesday, MoAxB has posted two vulnerabilities. One is in a PowerPoint viewer; the other in an Excel viewer. The controls can be used to host an Excel or PowerPoint file in an online form or on a Web page, and they are sold by a developer tools company called Office OCX.
In a warning to customers of its DeepSight threat network, security vendor Symantec Corp. dismissed the debut bug, saying, “The first posted vulnerability is of little significance.” But other security companies, including Danish bug tracker Secunia APS and the French firm FrSIRT.com, have pegged the ActiveX vulnerabilities as “highly critical” and “critical,” respectively.
And some writers on the Full Disclosure security mailing list weren’t ready to brush off the bugs simply because they seemed to be DoS vulnerabilities, not more dangerous remote-execution-type flaws. “Regardless of whether it results in remote code execution, I don’t think a DoS should necessarily be discounted as frivolous or irrelevant,” said one writer identified as Steven. “It might not rank up there with ‘critical’ or ‘high’ vulnerabilities, but it is a vulnerability nonetheless.”
“There have been multiple instances on the [security mailing] lists throughout the years where a DoS suddenly became promoted to a remotely exploitable bug,” said a writer named Robert on the same thread.