MSVidCtl ActiveX Control Vuln – Microsoft Knew For A Year, Just Didn’t Feel Like Releasing The Fix
It’s the latest Internet Explorer zero-day vuln, the MSVidCtl ActiveX control bug. It’s dangerous. It allows anyone to create a website that has administrator-level access to do whatever they want on your PC. And it’s real. It has been used on websites already.
The funny thing is, as it turns out, it’s not really a zero-day vulnerability. Microsoft has known about the security hole since May of last year.
Huh.
So why did Microsoft just now release a fix for it then?
According to Mike Reavey, the Group Manager for the Microsoft Security Response Center (MSRC), this long delay on a known security hole with a sudden fix being released “is not so much a coincidence as we we have been working on it since 2008 and these attacks cover some of that work and so we were able to move fast and address what we know bad guys are using right now.”
Uh huh.
Yeah.
We buy that.
It’s been fixed for that long, they just didn’t want to release it because no one had been actively using the security hole yet.
Actually, this is Microsoft. I guess I do believe it!
InsanIT.net » Blog Archive » ActiveX At It Again – Another IE Security Hole Found:
[...] seems like just the other day when Microsoft started getting hit by a not-actually-zero-day-vuln in IE through an ActiveX control [...]
July 14, 2009, 4:05 pmInsanIT.net » Blog Archive » Firefox Update Fixes JavaScript Zero-Day Exploit – And THAT’S How It’s Done!:
[...] of two days Mozilla took to patch the security hole. Unlike some companies, who shall remain Microsoft. Category: computers, internet, security | Comment (RSS) [...]
July 17, 2009, 6:27 am