Microsoft announced on Tuesday that a serious security hole was found in all versions of Internet Explorer. The flaw exploits the ActiveX plugin system in IE.
If you use Internet Explorer, and are running flash – you are vulnerable. If you have any ActiveX control installed in IE you have a good chance of being vulnerable. It only takes one website with a bad flash file for your system to get compromised. A blog at Adobe’s website has more detailed information:
http://blogs.adobe.com/psirt/2009/07/potential_adobe_reader_and_fla.html
This problem is far and wide. Adobe comes to the top of the list because so many people have the flash player – but Cisco, and Google are working on fixes for their software too.
The fix (MS-09034) can be downloaded and installed to help resolve the issue, but it will not completely close the hole.
This is because the flaw is not in IE itself, but the libraries that third party developers use to build plugins. This means that any plugin ever created for IE has the potential of having this flaw. The only way for a vendor to fix it is to download a patch for the ATL library, recompile their code, and re-release the software.
All I can say is – what a mess.
What can you do to protect your network? The first answer is to run an alternative browser.
Many times this is impossible. The second way is to have tight control over what ActiveX plugins are used, and to verify with the vendor that they have recompiled with the new ATL library.
The big red light here is that any ActiveX plugin is now a potential flaw waiting to be exploited.
More detailed information about the flaw and its fixes can be found here:
http://www.microsoft.com/technet/security/advisory/973882.mspx