MS issues eleventh hour Snapshot bug workaround
Rush to fix serious ActiveX flaw
Microsoft has taken the unusual step of issuing a workaround for a new security bug involving Microsoft Office a day before its regular Patch Tuesday update.
Hacking attacks targeting a vulnerability in the Snapshot Viewer ActiveX control for Microsoft Access prompted Redmond's security gnomes to issue an advisory on Monday. The flaw affects the Snapshot Viewer in Microsoft Office Access 2000, 2002 and 2003. Snapshot Viewer displays summaries of Microsoft Office Access reports without requiring Access itself to be run.
Redmond said the flaw has become the focus of targeted attacks. Attack scenarios involve tricking users into visiting sites containing rogue ActiveX controls designed to exploit the vulnerability. If successful the approach would allow hackers to obtain the same rights as logged-on users to compromised machines.
Although Microsoft has not yet corrected the underlying vulnerability, it has several suggestions* on how to set a kill bit to disable an unwanted ActiveX control. Some of these involve preventing COM objects from running in Internet Explorer, or disabling scripting. The first of these means using the Registry Editor, where mistakes can really screw up your system, while the second might leave users unable to use many websites normally. Given these choices, less technically knowledgeable Windows users might do better to use either Firefox or Opera pending the availability of a patch, which Microsoft has begun to develop.
ActiveX controls are a perennial source of security problems which Microsoft plans to finally address in the bundle of security enhancements due to ship with IE8. The list of problems with the technology (frankly too long and painful to list here) goes back to the genesis of Internet Explorer or, to put it another way, a time when Billie Piper was best known as a companion of Chris Evans, rather than Doctor Who. ®
* Any time we see an advisory with three or four suggested workarounds instead of one, we can't help but think none of them work particularly well.
I think Billie was pretty young - 17? - when she was boffing Ginger Evans. Oh how jealous I was.
Not sure if I prefer the 'Honey 2 the B' or 'Belle du Jour' - era Billie now, though - though I'd happily take either.
Paris cos she knows she's not nothing on her...
Reality and the web
I think we all agree that ActiveX was a hack thrown together by Microsoft in an attempt to leapfrog Netscape in the browser market. The problem is, a lot of people/companies use ActiveX controls. Regarding, "I've yet to see an ActiveX control that works consistantly.", I assume you've never seen Adobe Flash that shows up on most major websites without any issue. It's an ActiveX control! Microsoft can't "...just give up and KILL ActiveX ..." because all those websites and companies that use and implement ActiveX controls will scream bloody murder without a significant amount of handholding to move them to a new solution. Try removing the Plugin technology from Mozilla and see how many happy customers you have left.
Now, I agree that MS has acted pretty poorly in not attempting to wean their development community off of ActiveX years ago and providing a cutoff date for ActiveX. Let's hope that they properly address in IE 8 rather than continue to use bandaids to deal with ultimately is a sucking chest wound in the security of their browser.
Oh, regarding the "Code quality - the missing ingredient ..." statement. MS has many applications with exposed interfaces to make it easier for users like you or I to script their applications to do interesting things because "we" demanded it. To then turn around and slam them because someone found an obscure backdoor through IE/ActiveX to these exposed interfaces and say that "...see, if they had let me look at the code, this wouldn't happen" is flawed logic at best or just blatantly ignorant at worst. MS runs millions of tests per day against these apps to find and prevent security flaws. Bugs still get through when an unforseen interaction takes place. It doesn't matter if you have an extra hundred eyes pouring over the code because very few people spend their lives just looking at code. People go and look at code when an issue occurs. Why do you think the XP testing scheme is, if you find a bug, write a test case that can reproduce that bug, fix it, verify the test case passes? It isn't "pour through the code and try to imagine bugs that can occur".
Ultimately I will admit I much prefer having the source code available when I encounter a bug with a system, but hey, if I don't like how MS does business I can always choose a different solution.
@ Eddie Johnson