Month of ActiveX Bugs (MoAxB)

May 02, 2007

Here we go again. Someone's planning to release one bug a day having to do with ActiveX in May.

Perhaps the biggest vulnerability research fad in the last year or so has been the "month of (whatever) bugs." Whatever. This time it's ActiveX, and the MoAxB or (as the author, after saying "sorry for my poor english," puts it: "Month of ActiveX Bug."

The author says: most of them are simple DoS (don't worry there are also some code execution) but that's because MoAxB has only a sense: to inform developers about the risk of using activex controls. (A DoS (Denial of Service) (in this context) is a bug that crashes an application.)

Some DoS bugs are evidence of hidden code execution bugs, but not all are. Don't assume that a DoS bug indicates anything more than the ability to crash a program by feeding it bad input.

Furthermore, the author is somewhat misleading when he refers to the risks of using ActiveX controls. The first bug of the month (see below) is probably typical: It's a commercial program that runs in the context of a Web browser. The fact that it's an ActiveX control has little or nothing to do with the bug. If the program were in another form, such as a Firefox plug-in, it would likely have the same bug.

On to the first bug: It's (as promised) a DoS in a third-party PowerPoint viewer control .

Not an auspicious opening for the MoAxB, but perhaps more important bugs will be forthcoming.

Copyright 2007 by Ziff Davis Media, Distributed by United Press International

Explore further: Technology and data analytics should transform municipal government, professors say

add to favorites email to friend print save as pdf

Related Stories

Obama unveils new measures to stem identity theft

37 minutes ago

US President Barack Obama on Friday ordered "pin and chip" security measures for government payment systems, aiming to stem the proliferation of credit card fraud and identity theft.

Twitpic to shutter service after all

1 hour ago

Twitpic on Friday put out word that the service is shutting down after all, apologizing for a "false alarm" that a merger would be its salvation.

Microsoft CEO launches diversity training effort

2 hours ago

(AP)—Microsoft CEO Satya Nadella has again apologized to employees and announced in a company-wide memo that all workers will receive expanded training on how to foster an inclusive culture as he works to repair damage ...

Recommended for you

Yahoo profit surges on Alibaba divestment, mobile

53 minutes ago

Yahoo said Tuesday its quarterly profit surged with its sale of shares in Chinese Internet powerhouse Alibaba, and also saw improving results from its mobile Internet initiatives.

Apple sees iCloud attacks; China hack reported

3 hours ago

Apple said Tuesday its iCloud server has been the target of "intermittent" attacks, hours after a security blog said Chinese authorities had been trying to hack into the system.

HP supercomputer at NREL garners top honor

5 hours ago

A supercomputer created by Hewlett-Packard (HP) and the Energy Department's National Renewable Energy Laboratory (NREL) that uses warm water to cool its servers, and then re-uses that water to heat its building, has been ...

User comments : 0