Microsoft: 'ActiveX error is just a mediocre error'

After US-CERT and SecurityFocus revealed a new ActiveX security flaw in the Internet Explorer 6 browser on the Microsoft Security Response Center Blog, Microsoft said it would investigate the specific vulnerability.

Yesterday, Microsoft officially revealed details about this security error.

Microsoft claims that the above ActiveX security error is absolutely not dangerous, it is just a mediocre security error that is difficult to be exploited to remotely hijack the system.

Only a few Windows versions have Microsoft XML Core Services 4.0 installed - a set of tools that allow programmers to use scripting languages ​​to access XML-formatted documents - that ActiveX error.

Specifically, the faulty Windows versions include Windows 2000 Service Pack 4, Windows XP Service Pack 2, Windows Server 2003, and Microsoft Windows Server 2003 Service Pack 1.

In order to successfully exploit this security error, an attacker must trick users into accessing a specially programmed website with code that exploits XMLHTTP 4.0 ActiveX Control error. Not only that, the attacker is forced to gain access to a system that is similar to the access that the user is using. If these conditions are met, it is possible to gain full control over the faulty system.

Microsoft claims to have had a similar XMLHTTP ActiveX Control bug discovered 5 years ago. This error was later fixed.

To protect yourself, users can disable the browser's ActiveX Control feature. However, if you disable this feature, some sites may have problems.

SANS Institute classified an error to protect newly discovered ActiveX Control in Internet Explorer 6 as a "zero-day" error. This means that this error has not been patched yet. Meanwhile, some other security firms put this error into 'extremely dangerous' level.

Hoang Dung