The flaw, in an ActiveX scripting component, gained notoriety last month when it became the mechanism used by a network of compromised Web sites to install a malicious program on victims' computers. Microsoft has decided to plug the hole by turning off the ability for the ActiveX component to write to the operating system. The software giant published the work-around on its Web site and directed customers to use its Windows update service to download the patch.
Though Microsoft intends the change to become a standard configuration for Windows, the software giant is working on a more comprehensive solution, said Stephen Toulouse, security program manager for Microsoft's security response center.
"It is a permanent change, but it is an interim step--we are still in the middle of our investigation," he said. "We have taken a look at the functionality in the product and seen that that functionality is really being used by attackers."
The change fixes a problem that allowed several compromised Web sites to infect visitors' PCs with a Trojan horse program, known as Download.Ject or JS.Scob.Trojan. The program would record the keystrokes and send them to an overseas e-mail address. That Internet Explorer security issue and several others lead some security experts to suggest that users should consider alternative browsers.
Microsoft's configuration change blocks the ability of the ADODB.screen ActiveX component to write to the PC's hard drive. ActiveX, which adds interactivity to Web sites viewed with Internet Explorer, has long been thought to have security issues.
This particular vulnerability has been known about for more than 9 months, said David Endler, director of incident response for security company Tipping Point.
"Though written configuration hardening instructions have been available online for a while, it's nice to finally see this particular security tweak in Internet Explorer distributed to the masses, even if it's long overdue," he said.
Microsoft continues to study this issue and expects to release a more comprehensive patch. Moreover, the company is readying a major security update for Windows XP, known as Service Pack 2, that should be out later this year.
I have the ActiveX disable on the system for two years now and everytime I read about this activex problem ya have too wonder what else is wrong with inclusion of a program's that is brought out by MicroSuck , IE is nothing more than a bug ridden program that I have disable too for sometime now , I remmeber when the ActiveX first came , that reading some articles about the con's and how unsecure the system became because of activex , and that the program made the system virtually unsecuritable from a security point of view .One wonder when will MS every get it right with security issues.