A new 0-day vulnerability in Microsoft’s ActiveX Video Control puts, once again, the focus on browser security. Thousands of web sites (most are compromised) are already used to exploit this vulnerability and take control of the user’s workstations.
Microsoft has already published a security advisory and a technical analysis on its security blog, but no security update. The only workaround is to use the famous Kill-bit to disable this ActiveX control (or to surf using another browser than IE…). Still, Microsoft deserves a red card because the CVE number (CVE-2008-0015) and its creation date prove that they were aware of this vulnerability since 18 months.
At commonIT, our virtualized browser product, Virtual Browser, can protect users, by design against these kinds of attack. Indeed, even when using the Internet Explorer rendering engine, the successful exploitation of this vulnerability will not take ownership of the user’s workstation or company network or other trusted web applications. Any malicious code will be automatically destroyed when the user closes the window. Stress-free Internet?
4 comments
Trackback link
http://commonit.com/blogs/en/2009/07/08/ie-activex-zeroday-vulnerability/trackback/
June 28, 2010 at 3:16 pm
Pingback from commonIT blog · Browser updates
June 28, 2010 at 3:17 pm
Pingback from commonIT blog · 0-day vulnerability in Adobe Flash Player
June 28, 2010 at 3:17 pm
Pingback from commonIT blog · Stay away from the Internet!
June 28, 2010 at 3:19 pm
Pingback from commonIT blog · 0-day vulnerablity hits IE6 and IE7