BJK Research

Bug of the Month

Every month the BugBlog picks its Bug of the Month, representing the most significant bug found in the past month. Sometimes, the bug will be the one which could potentially cause the most damage; sometimes it will be the bug which affects the most users. And sometimes, it will be the bug that is just the most interesting bug. This bug will be selected either from the free Bug of the Day, or from the subscription-only BugBlog Plus.

This month the Bug of the Month goes to Microsoft, for this XML ActiveX control bug. The first notice of this bug came in the 11/6 BugBlog

Microsoft has issued a Security Advisory about a bug in the XMLHTTP 4.0 ActiveX Control. This control is part of Microsoft XML Core Services 4.0 on Windows, which should be present on Windows 2000, Windows XP, and Windows Server 2003 computers, even if the users don't know it. However, Windows Server 2003 users running with Enhanced Security Configuration on will not be vulnerable. An attack could be mounted if you browse to a maliciously designed page, resulting in hostile code running on your computer. Microsoft is working on a patch which will be coming in a future Patch Tuesday. Read the details at http://www.microsoft.com/technet/security/advisory/927892.mspx.

The patch for this was released as part of Microsoft's Patch Tuesday for November, on November 14. With so many Microsoft bugs getting fixed this day, the patch was relegated to the BugBlog Plus.

Microsoft has issued a patch for the Critical security bug for XMLHTTP ActiveX control that is in Microsoft XML Core Services. Exploit code for this bug has been circulating, and the BugBlog Plus noted the problem on 11/6). An attacker could design a webpage that could use this bug to take complete control of a computer. Microsoft has the patch at http://www.microsoft.com/technet/security/Bulletin/MS06-071.mspx. They credit Robert Freeman of ISS and Dror Shalev and Moti Jospeh of Checkpoint for finding the problem.

Why this bug? First, it was a zero-day attack, which meant that hostile code that could exploit this bug was already circulating on various malware sites when the bug was announced on 11/6. Second, potential targets were wide-spread, for anyone using Internet Explorer on Windows 2000 or Windows XP were vulnerable if they visited a malicious website. Finally, the damage could be severe, with the attackers taking over the computer. And for the icing on the cake, it was yet another example of security threats coming in via an ActiveX control. (For instance, see the November 2006 Bug of the Month)

So for these reasons, Microsoft wins another Bug of the Month.

Previous Bugs of the Month

November 2006: Microsoft ActiveX Bug

October 2006: Microsoft VML Bug

September 2006: Sony Batteries

August 2006: Microsoft Windows Genuine Advantage

July 2006: Yahoo! Mail

June 2006: Symantec Enterprise AV

May 2006: Microsoft Wins Special Lifetime Achievement Bug Award

April 2006: Adobe Macromedia Flash Player

March 2006: Microsoft Windows Media Player

Feb 2006: Apple QuickTime

Jan 2006: Microsoft WMF Bug

Dec 2005: Sony's Secret DRM Scheme Leaves Users Exposed

November 2005: Four Separate Bugs Leave Windows Open to Takeover

October 2005: Acrobat Screws Up MS Word

September 2005: Apple Security Update Breaks 64-bit Apps

August 2005: Cisco IOS Vulnerable to IPv6 bug

July 2005: RealNetworks Fixes Four Bugs in Their Media Player

June 2005: Flawed Rollout for Netscape 8

May 2005: TCP/IP Fix for Windows

April 2005: Denial of Service against Symantec Norton AntiVirus

March 2005: IDN Spoofing Bug

February 2005: Windows Animated Cursor Bug

January 2005: Windows Firewall Problems with Dial-up connections

The Bug of the Month is also posted at Blogcritics.org