Microsoft: Ask us and we'll lock down your ActiveX control

Microsoft said it would lock down other vendors' software using Windows Update-delivered fixes if those companies ask Microsoft to help stymy attacks. The company explained its efforts after being asked about a security update that disabled a vulnerable ActiveX control used by Yahoo's music player program. "If an independent software vendor discovers that they have shipped […]

Microsoft said it would lock down other vendors' software using Windows Update-delivered fixes if those companies ask Microsoft to help stymy attacks. The company explained its efforts after being asked about a security update that disabled a vulnerable ActiveX control used by Yahoo's music player program.

"If an independent software vendor discovers that they have shipped a vulnerable [ActiveX] control, they should e-mail secure@microsoft.com to work with Microsoft to issue a kill bit, disabling that control," Tim Rains, a spokesman for the Microsoft Security Response Center (MSRC), said in an e-mail.

Earlier in the day, Microsoft released eight security updates, including one that set the "kill bit" for the Yahoo Music Jukebox -- software that until a February revision was released had shipped with two buggy ActiveX controls.

Setting the kill bit for an ActiveX control involves modifying the Windows registry and disables the ActiveX control. It does not patch the problem, and setting the kill bit means the control's functionality is lost. The policy is not new, said Rains, although the manner in which Microsoft served up the latest kill bit is. "Microsoft issued a security update specifically including kill bits for these ActiveX controls because it provides advantages to customers rather than wrapping them into Internet Explorer cumulative updates, which has been the usual method for distributing ActiveX kill bits," he said.

Full Article

Microsoft, Security, Vulnerability, ActiveX, Support