[News] Microsoft ActiveX Controls Strike Again, Dumping Recommended

New Attack Kit Targets Bag of ActiveX Bugs

,----[ Quote ]
| Bugs in ActiveX, a Microsoft technology used most often to create add-ons for
| the company's Internet Explorer (IE) browser, have always been common, but so
| many serious flaws have been disclosed of late that some security experts
| have recommended users do without them.
`----

[url]http://www.pcworld.com/article/id,144214-pg,1/article.html[/url]

But Miguel loves ActiveX. He said so.

"We should dedicate a cross-group team to come up with ways to leverage Windows
technically more."

Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â*--Jim Allchin, Vista escapee


Related and recent:

Be prepared: ActiveX attacks will persist

,----[ Quote ]
| A recent string of high-profile ActiveX vulnerabilities caused the U.S.
| Computer Emergency Readiness Team (US-CERT) to advise users to disable the
| ubiquitous Microsoft browser plug-in technology altogether.
`----

[url]http://www.infoworld.com/article/08/02/19/08NF-activex-horror_1.html[/url]


Will Microsoft Change How ActiveX Runs in IE 8?

,----[ Quote ]
| Some security experts, like Will Dormann, a vulnerability analyst at the
| Carnegie Mellon Software Engineering Institute CERT/CC, are calling for
| ActiveX to be disabled from running by default in IE 8.
|
| Dormann is telling IE users that they should, from a security perspective,
| disable ActiveX controls from running by default. "It would be nice if this
| is something Microsoft did with the next version of the browser," he said.
`----

[url]http://www.eweek.com/c/a/Security/Will-Microsoft-Change-How-ActiveX-Runs-in-IE-8/[/url]


Older:

Rogue ActiveX controls menace users

,----[ Quote ]
| Â*Flaws in ActiveX controls are being increasingly used to run security
| Â*exploits.
|
| [...]
|
| An attack exploiting this vulnerability can lead to arbitrary code execution
| by a remote attacker," a blog posting by Symantec researcher Parveen
| Vashishtha warns. Â*
`----

[url]http://www.theregister.co.uk/2007/10/24/activex_vulns/[/url]


RealPlayer Attack Circulating

,----[ Quote ]
| The attack exploits a flaw in an ActiveX browser helper object, software that
| RealPlayer employs to help users who are experiencing technical difficulties,
| so the PC must be using the Internet Explorer browser to be affected by this
| particular attack, Symantec said. Â*
`----

[url]http://news.yahoo.com/s/pcworld/20071020/tc_pcworld/138706[/url]


Yahoo! battered by second ActiveX vulnerability

,----[ Quote ]
| The vulnerabilities affect versions of Yahoo! Messenger 8.x prior to version
| 8.1.0.419, released late last week. Users are urged to upgrade.
`----

[url]http://www.theregister.co.uk/2007/09/03/yahoo_activex_vuln/[/url]


Way Too ActiveX

,----[ Quote ]
| Today, over at Symantec's Security Response Weblog, Greg Ahmad
| reveals startling--and I do mean shocking--increases in ActiveX
| vulnerabilities. According to Symantec, ActiveX vulnerabilities
| stayed in the 12- to- 15-a-year range from 2002 to 2005. For
| 2006, the number of vulnerabilities "reached 50," with 42 in
| the second half of the year--coincidentally, the same time
| period Microsoft finished up and released Internet Explorer 7.
`----

[url]http://www.microsoft-watch.com/content/security/way_too_activex.html?kc=MWRSS02129TX1K0000535[/url]
[url]http://tinyurl.com/33cfno[/url]


Acer puts Active X hole on laptops

,----[ Quote ]
| Laptop outfit Acer seems to have placed an Active X control on its
| computers that seems to allow webpages to execute any program.
|
| This huge hole in network security has been installed on board Acer
| lap-tops since 1998.
`----

[url]http://www.theinquirer.net/default.aspx?article=36773[/url]


Adobe Confirms 'Critical' Reader, Acrobat Exploits With IE

,----[ Quote ]
| A critical security vulnerability in an ActiveX control used by
| Internet Explorer could allow malicious hackers to use Adobe's
| Reader and Acrobat software to launch PC hijack attacks,
| according to a warning from Adobe Systems.
`----

[url]http://www.pcmag.com/article2/0,1895,2066079,00.asp[/url]


Month of ActiveX bugs project begins with two Office flaws

,----[ Quote ]
| A hacker known as shinnai kicked off his "Month of ActiveX Bugs"
| (MoAxB) project with a bang by exposing a number of severe
| vulnerabilities affecting OCX controls in Microsoft Office.
`----

[url]http://scmagazine.com/us/news/article/654659/month-activex-bugs-project-begins-two-office-flaws/[/url]

* Roy Schestowitz peremptorily fired off this memo:
[color=blue]
> New Attack Kit Targets Bag of ActiveX Bugs
>
> ,----[ Quote ]
>| Bugs in ActiveX, a Microsoft technology used most often to create add-ons for
>| the company's Internet Explorer (IE) browser, have always been common, but so
>| many serious flaws have been disclosed of late that some security experts
>| have recommended users do without them.
> `----
>
> [url]http://www.pcworld.com/article/id,144214-pg,1/article.html[/url]
>
> Be prepared: ActiveX attacks will persist
> Will Microsoft Change How ActiveX Runs in IE 8?
> Rogue ActiveX controls menace users
> RealPlayer (ActiveX) Attack Circulating
> Yahoo! battered by second ActiveX vulnerability
> Way Too ActiveX
> Acer puts Active X hole on laptops
> Adobe Confirms 'Critical' Reader, Acrobat Exploits With IE
> Month of ActiveX bugs project begins with two Office flaws[/color]

Ironically, our company is pushing to digitally sign all emails (because
of the frequency of spoofing), and you have to use ActiveX in order to
get the certificate.

Funny as a crutch.

I had a player miss three soccer games because I didn't realize that
her company was filtering out my team emails as spam.

And yet we have idiots claiming that Microsoft has only a beneficent
effect on IT. Microsoft is a cancer.

--
Like almost everyone who uses e-mail, I receive a ton of spam every day. Much
of it offers to help me get out of debt or get rich quick. It would be funny if
it weren't so irritating.
-- Bill Gates, "Why I Hate Spam" in Microsoft PressPass (2003)

On Tue, 08 Apr 2008 04:24:05 +0100, Roy Schestowitz wrote:
[color=blue]
> New Attack Kit Targets Bag of ActiveX Bugs
>
> ,----[ Quote ]
>| Bugs in ActiveX, a Microsoft technology used most often to create add-ons for
>| the company's Internet Explorer (IE) browser, have always been common, but so
>| many serious flaws have been disclosed of late that some security experts
>| have recommended users do without them.
> `----
>
> [url]http://www.pcworld.com/article/id,144214-pg,1/article.html[/url][/color]

This is complete bull****.

The flaws are in valid plug-ins. These plug-ins would exist no matter what
plug-in technology was used. The vulnerabilities are not in ActiveX
itself, but the controls that use ActiveX.

If ActiveX didn't exist, the makers of these controls would simply use
Netscape plug-in API's, or whatever plug-in API was available.

This reporter needs to learn a little bit more about what he's reporting
on.

* Erik Funkenbusch peremptorily fired off this memo:
[color=blue][color=green]
>> New Attack Kit Targets Bag of ActiveX Bugs
>>
>> [url]http://www.pcworld.com/article/id,144214-pg,1/article.html[/url][/color]
>
> This is complete bull****.[/color]

Speaking of ActiveX, I finally brought up the virtual billy box so's I
could use Internut Exploder to get those goddam certificates they now
require us to have, so that the rest of the corporate morons can ignore
the "unsigned" flags and continue to clear on "spear-phishing" links
<groan>.

I then exported the certs using Outhouse Express, and then imported them
into Evolution.

Evolution is almost as bad as Outbreak, but still a little more
convenient than webmail, though it uses the same link as webmail.

I haven't been able to find OWA for fetchmail, so's I could use a real
emailer (mutt).

Too bad corporate IT won't support IMAP, SMTP, and POP3.

--
Your most unhappy customers are your greatest source of learning.
-- Bill Gates, Business @ The Speed of Thought (1999)

* Linonut peremptorily fired off this memo:
[color=blue]
> Speaking of ActiveX, I finally brought up the virtual billy box so's I
> could use Internut Exploder to get those goddam certificates they now
> require us to have, so that the rest of the corporate morons can ignore
> the "unsigned" flags and continue to clear on "spear-phishing" links[/color]
^^^^^^^ click
--
Life is not divided into semesters. You don't get summers off and very few
employers are interested in helping you find yourself.
-- Bill Gates

On 9 Apr, 00:16, Erik Funkenbusch <e...@despam-funkenbusch.com> wrote:
[color=blue]
> The vulnerabilities are not in ActiveX itself, but the controls that use ActiveX.[/color]

zzzztttt, ZZZTTT, my mind is going, I can feel it Dave, I mean
'retard' ...

On 9 Apr, 00:16, Erik Funkenbusch <e...@despam-funkenbusch.com> wrote:
[color=blue]
> The vulnerabilities are not in ActiveX itself, but the controls that use ActiveX.[/color]

"A remote code execution vulnerability exists in the ActiveX control
hxvz.dll .. the vulnerability could allow remote code execution"

[url]http://www.microsoft.com/technet/security/Bulletin/MS08-023.mspx[/url]

--

the flaws are not in the bridge itself, but in the girders that hold
up the bridge ..

On Sat, 19 Apr 2008 10:12:21 -0700 (PDT), Doug Mentohl wrote:
[color=blue]
> On 9 Apr, 00:16, Erik Funkenbusch <e...@despam-funkenbusch.com> wrote:
>[color=green]
>> The vulnerabilities are not in ActiveX itself, but the controls that use ActiveX.[/color]
>
> "A remote code execution vulnerability exists in the ActiveX control
> hxvz.dll .. the vulnerability could allow remote code execution"
>
> [url]http://www.microsoft.com/technet/security/Bulletin/MS08-023.mspx[/url][/color]

Note the phrase "In the ActiveX *CONTROL*, which is precisely what I said.

Duh! Duh!g.

On 20 Apr, 01:23, Erik Funkenbusch wrote:
[color=blue]
> On Sat, 19 Apr 2008 10:12:21 -0700 (PDT), Doug Mentohl wrote:[/color]
[color=blue][color=green][color=darkred]
>>> The vulnerabilities are not in ActiveX itself, but the controls that use ActiveX.[/color][/color][/color]
[color=blue]
> Note the phrase "In the ActiveX *CONTROL*, which is precisely what I said.[/color]

This is absolutly hilarious, fuddie said <not in ActiveX itself>, but
now sees <"In the ActiveX *CONTROL*>, which is precicly not what he
said. It's form of aphasia, he can, on the fly, rewire his visual
cortex to see exactly what he wants to see. He can also do this to his
cognitive facilities, so from now on, an activeX control isn't and
never was part of activeX.
------

Show how an activeX control isn't a part of activeX, isn't hxvz.dll
one of the main components in MS Help engine? If it isn't, what's it
doing in C:\Program Files\Common Files\Microsoft Shared\Help\ ... ???
-------

Symtoms of Aphasia: strings together nonsense words and real words
fluently but makes no sense ..

On Sun, 20 Apr 2008 06:05:05 -0700 (PDT), Doug Mentohl wrote:
[color=blue]
> On 20 Apr, 01:23, Erik Funkenbusch wrote:
>[color=green]
>> On Sat, 19 Apr 2008 10:12:21 -0700 (PDT), Doug Mentohl wrote:[/color]
>[color=green][color=darkred]
>>>> The vulnerabilities are not in ActiveX itself, but the controls that use ActiveX.[/color][/color]
>[color=green]
>> Note the phrase "In the ActiveX *CONTROL*, which is precisely what I said.[/color]
>
> This is absolutly hilarious, fuddie said <not in ActiveX itself>, but
> now sees <"In the ActiveX *CONTROL*>, which is precicly not what he
> said. It's form of aphasia, he can, on the fly, rewire his visual
> cortex to see exactly what he wants to see. He can also do this to his
> cognitive facilities, so from now on, an activeX control isn't and
> never was part of activeX.[/color]

No, you're a moron. If you knew anything about what you were discussion,
you would know that ActiveX is a *technology*, not a product. In
particular, it's a protocol. There's some code associated with it in the
OS, (notably QueryInterface, CoInitialize, etc..), but not much.

Using your logic, A flaw in a Firefox plug-in is a flaw in firefox. Or a
flaw in a third party Linux loadable library is a flaw in the Linux kernel
or maybe a flaw in a web site is a flaw in TCP/IP.

An ActiveX control is plug-in that uses ActiveX as its interface. THe flaw
was not in the interface, it was in the code of the control.

How is it you can repeatedly prove, *EVERY SINGLE TIME* how big of an idiot
you are? And each time you succeed in making yourself and even bigger
idiot.
[color=blue]
> Show how an activeX control isn't a part of activeX, isn't hxvz.dll
> one of the main components in MS Help engine?[/color]

Yes, it is.
[color=blue]
> If it isn't, what's it
> doing in C:\Program Files\Common Files\Microsoft Shared\Help\ ... ???[/color]

What does that have to do with anything?

It's a flaw in the help system, not ActiveX.

On Sun, 20 Apr 2008 14:01:22 -0500, Erik Funkenbusch wrote:
[color=blue]
> On Sun, 20 Apr 2008 06:05:05 -0700 (PDT), Doug Mentohl wrote:
>[/color]
[color=blue]
> How is it you can repeatedly prove, *EVERY SINGLE TIME* how big of an idiot
> you are? And each time you succeed in making yourself and even bigger
> idiot.[/color]

At least he is consistent!
Consistently wrong that is!

Doug Mentohl is obviously mentally retarded and or has some kind of brain
damage because nobody of normal intelligence could be *that* ignorant.

The best we can hope for is that he takes his meds.




--
Moshe Goldfarb
Collector of soaps from around the globe.
Please visit The Hall of Linux Idiots:
[url]http://linuxidiots.blogspot.com/[/url]

On 20 Apr, 20:01, Erik Funkenbusch wrote:
[color=blue]
> It's a flaw in the help system, not ActiveX.[/color]

Explain how a Microsoft activeX control isn't a part of activeX ...
--

"Microsoft 'hxvz.dll' ActiveX Control Memory Corruption Vulnerability"

[url]http://www.securityfocus.com/bid/28606[/url]

"This issue is caused by a memory corruption error in the "hxvz.dll"
ActiveX control"

[url]http://www.frsirt.com/english/advisories/2008/1147[/url]

On Mon, 21 Apr 2008 06:47:12 -0700 (PDT), Doug Mentohl wrote:
[color=blue]
> On 20 Apr, 20:01, Erik Funkenbusch wrote:
>[color=green]
>> It's a flaw in the help system, not ActiveX.[/color]
>
> Explain how a Microsoft activeX control isn't a part of activeX ...[/color]

Duh!g Moron, I did in the post you are quoting. Now you're being dishonest
and not just stupid.